#sqrl — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #sqrl, aggregated by home.social.
-
@lwinkler @kuketzblog Hier ein auf der technischen und rechtlichen Seite relevanter Beitrag zu dem Thema: https://security.stackexchange.com/questions/226256/is-there-a-standard-for-otps-tied-to-transaction-details-that-has-been-implemen
Folglich waere wohl die Frage, ob/wann Banken #sqrl oder #webauthn fuer #psd2 entdecken.
-
@timbray This is why I like #SQRL
https://en.wikipedia.org/wiki/SQRL better.Sure, instead, of using a standard protocol, he used a custom one so he didn't have to trust browser manufacturers not to trash the extension API to lock out non proprietary implementations, or standard web service library implementations not to have security flaws that undermine the whole thing. I thought it was a poor choice at first becase it would be harder to implement, but now, it seems prescient.
-
@btaroli I agree that #SQRL has a lot of potential.
I am not as keen on the fact that it uses a single private key as the basis for everything and that it has a full custom protocol rather than a simple REST API, but these are not fatal flaws.
Whereas #Passkeys attestation feature seems like a recipe for abuse, allowing incumbents to insist on proprietary platforms. The lack of ability to transfer keys between major platforms in something that is supposed to be interopretable is disturbing.
-
I wonder how hard it'd be to get SQRL to load rules from a database? Currently it seems to be all based around filesystems and pre-compiled files.
I guess this makes sense in systems where you track all the changes in git and automatically deploy the service, but I'm not sure that's suitable for all environments?
-
@arstechnica so this is more about the Google Authenticator specific synching mechanism as a #security risk than any inherent #TOTP problem.
I get why there's a reference to #FIDO2, but I'd much rather use #SQRL than something that locks users to a specific, (probably) untrustworthy, provider.
-
@sweis from what I've heard on SecurityNow, there it's a HUGE drawback... dependency on a provider and they are non interoperable. Sure there's a standard, but you can't move your account, so you're locked into either Apple or Google, or worse, both at the same time and you have to trust them.
As odd a duck as #SQRL is, it sounds like a much better system and what FIDO was originally trying to be, when they gave up on forcing the use of physical tokens.
Cc: @leo
-
@sjanes @pcrock I had forgotten about #sqrl and have been waiting for #webauthn to gain traction. Given the heavy weights behind webauthn that seems like the standard that has a better chance, for better or worse. Recovery will always remain a challenge for the general user. Either way, I hope we get something better than passwords soon (though I've been very happy with #bitwarden_rs in the mean time).
-
So as a follow up to anyone that's interested, I've had some feedback from Karol Babioch (@kbabioch) author of https://docplayer.net/53523762-Fakultat-fur-informatik-security-analysis-and-implementation-of-the-sqrl-authentication-scheme.html (thanks @erAck for sharing) who also worked with the SQRL team.
In short, #SQRL sounded cool when it was conceived 5 years ago, but it never lifted off. Nowadays, there are more mature standards backed by bigger companies to achieve strong lone factor authentication.
So take a look at #FIDO (https://fidoalliance.org/about/what-is-fido/), and related #U2F and #WebAuthn.
-
From that Thesis (I have yet to finish it), there's a link to the open newsgroup where people interested in #sqrl can and have been discussing. Although it's hosted by Gibson Research, the discussions here could be proof of good will.
-
@Naughtylus
This might be interesting, a bachelor work:
Security Analysis and Implementation of the
SQRL Authentication Scheme
https://docplayer.net/53523762-Fakultat-fur-informatik-security-analysis-and-implementation-of-the-sqrl-authentication-scheme.html
#SQRL -
@Naughtylus
What makes me wonder is, it's five years old yet it gained no traction and no actual implementation picked it up for real, other than proof of concept server and client implementations and kalaspuffar's app on F-Droid it seems not having been adopted.
#SQRL