I wanted to write a quick post to draw your attention to SQRL – pronounced “Squirrel”, short for Secure QR Login.
Steve Gibson from the Gibson Research Corporation (GRC) has come up with SQRL as a potential solution of the ongoing problems associated with using user names and passwords to authenticate to web sites. We have all seen lots of stories in the last couple of years of large web sites being hacked and having their users credentials stolen – some have been encrypted others not, either way it’s not a good thing.
If you add to this that many people will use the same password (usually not a strong password either) on different sites and even more commonly people will use the same user id on multiple sites (e.g. your email address) there are lots of issues with good old username/password authentication techniques that need to be improved upon.
In my opinion from what I’ve seen and heard SQRL seems to go a long way to fixing many of the short comings of existing approaches. From the end users point of view it appears to work almost like magic. By using your smartphone you can scan a QR code from a website and “hey presto” you are automatically logged on.
Screen capture from GRC SQL main page
From a security perspective it is far more secure than traditional username/password techniques and has a number of added advantages too such as out of band authentication (e.g. via your smartphone) and complete anonymity (if you want it).
I am not going to go into the details of SQRL here. Steve does a great job of that on his GRC pages, but I’d encourage you to go and take a look there and then listen to the Security Now podcast where Steve introduces SQRL. Here’s the abridged version for the time poor among us:
It took me a few listens and a bit of reading the site to get my head around it, I am no security or crypto expert (it’s more of a hobby for me) but I think this is very promising (and pretty cool too). The next step for SQRL is to gain adoption. I want to raise awareness of SQRL in the SAP security community here on SCN by writing this post.
I’d love to hear your thoughts in the comments below. What about an SAP ABAP or JAVA server side implementation of SQRL? (DemoJam entry anyone!) 😎
“SQRL – you’d be nuts not to use it!”