Creating an SQRL Identity:
Introduction to SQRL:
Installing SQRL on Android:
Introduction to SQRL:
Installing SQRL on Android:
Last edited by a moderator:
I don't recall seeing the first one.I'm surprised no reactions yet to these videos.
I concur.They're awesome Adam.
Well done Adam! I want a forum I frequent to be able to use this asap. It would very cool.I'm surprised no reactions yet to these videos. They're awesome Adam. You are to be commended! You saved the best for last. The last 30 seconds of the last video are the "killer app" portion.
Well the assumption would be that it wasn't there when you created the identity, but was added (by a jealous soon to be ex-partner for example) at some point later. But yes, if you have that issue, you probably have much larger [financial] problemsIf there is a key logger, it has all of the important information, it seems.
When I make an ATM withdrawal and then try to make a second withdrawal in the same session, it asks for my pin again. This is to make sure that it is still me and not that I drove away without logging out and now someone else is requesting the second withdrawal. The use of the quick pass is just like that, except that, for convenience, you don't have to enter the entire password again. As has been pointed out repeatedly, you control how many characters the quick pass uses and you can set it to 1 if you choose. The intent is to provide a Secure Quick Reliable Login that gives web sites no secrets that they have to protect, not to leave the keys on the dashboard.What is the point of using SQRL to log into websites if you have to also enter the first four characters of your master password? I thought the whole point of the protocol was to set up your identity, then you can use the SQRL app from your mobile device to take a snapshot of the websites QR code and it would automatically log you in. You should NOT have to enter the first four characters of your password. Watching the two videos above, Adam clearly enters the first four characters of his password with two different identities a couple of times. Am I missing something? Is there an option to not have to enter those first four characters? If not, I don't see how this process eliminates passwords entirely.
Biometrics can be used (on mobile clients) and one can set it to only require one character (on desktop and mobile). The reason for it is security, you don't want someone to be able to log into sites as you if they take your phone from you, or sneak in to your room and onto your desktop computer while you are fetching another cup of coffee. Also the grc client (windows desktop) encrypts the master key in memory and actually requires the quickpass to decrypt it, that way capturing the memory with the master key is hard.
When I make an ATM withdrawal and then try to make a second withdrawal in the same session, it asks for my pin again. This is to make sure that it is still me and not that I drove away without logging out and now someone else is requesting the second withdrawal. The use of the quick pass is just like that, except that, for convenience, you don't have to enter the entire password again. As has been pointed out repeatedly, you control how many characters the quick pass uses and you can set it to 1 if you choose. The intent is to provide a Secure Quick Reliable Login that gives web sites no secrets that they have to protect, not to leave the keys on the dashboard.
Ah, the eternal struggle to find the perfect compromise between security and convenience. Perhaps a new client, or a new client version, will one day allow 0 rather than 1. For today, if typing a single character represents too great an obstacle, perhaps SQRL is not the solution you are looking for. Thank you for your interest and support.Yeah no.. You shouldn't have to enter even one character. That's still a pain in the ass in my mind.
Yeah well, regardless, the protocol was touted as not having to provide a password when logging into websites. In fact, that's not technically true, if you have to enter a password (or a portion of it) to log into a site. I was under the impression that after setting up the identity, you could navigate to a website on a desktop such as amazon.com, open up your sqrl app on your iPhone, hold the camera up to the qr code on Amazon's login page, scan the qr code and be logged into my account. Adding the step of having to enter a portion of your password is not really a benefit over using lastpass to autofill my amazon credentials. Take away that step and I'd use it. Otherwise it's just another way of logging into a website. Granted, using SQRL has the benefits of websites not storing any credentials, but having to type in a portion of the password in my mind defeats the purpose of convenience. You should only have to setup an identity and that's it. You shouldn't have an extra step of having to type a portion of your password every time you want to log in.
I think you misunderstood what was on offer. It eliminates giving a password to a site to protect, not eliminating the use of good security practices. SQRL provides you with a "digital identity" and the current client requires proof that the human using the digital identity is the "correct" human. A different client could be made to work differently if the compromise in security was acceptable to its user base.touted as not having to provide a password when logging into websites
I believe it does if your Android OS is Android P (or later.) (I have not personally tried.) I believe you need to supply your password for the first time, then as long as your QuickPass is enabled it will use the biometric instead if possible. (You will need to configure your QuickPass duration... the maximum is 1 week or something like that.) There is a forum for the Android client, you should check out some of the posts there.I have the Android SQRL client. Does it support biometrics?