Recent content by JJasonClark

  1. JJasonClark

    Node.js package sqrl-protocol update

    I have released an update to the server side SQRL protocol handler package at https://www.npmjs.com/package/sqrl-protocol. In this release I changed the `createUrls` method for the more common `createNut` method. `createNut` to start an authentication session with a new nut `process` to...
  2. JJasonClark

    Common or Best Practice for login form?

    How does this look for the login button? This was made with this <a id="sqrlLink"><img src="/SQRL_icon_vector_outline.svg"><span>Sign in with SQRL</span></a> #sqrlLink { display: flex; margin: 0.8rem; padding: 0.1rem; background-color: #007CC3; border: 2px solid black...
  3. JJasonClark

    Common or Best Practice for login form?

    Has anyone thought about a common layout for the SQRL login or sign up forms? Something that is easily recognizable by the user? Such as where and how big to show the qr code, or the polling timeout text, or the placement of the icon, etc. I know there is a common icon image set. What about font...
  4. JJasonClark

    Websites that could use help adopting SQRL

    The SQRL protocol requires HTTPS. So localhost testing doesn't work. You will need to create a cert somehow to test in local development. I've done both create a self signed cert and used a Let's Encrypt cert. I highly recommend you go with the Let's Encrypt cert as it easily works on all...
  5. JJasonClark

    Websites that could use help adopting SQRL

    I have implemented a NodeJs based server side authentication package and sample web site. This might help in your effort. The sample site is listed as one of the demo sites in the main list. And the package is https://www.npmjs.com/package/sqrl-protocol
  6. JJasonClark

    Extra parameters in sqrl:// link

    Yes, this is what I was thinking of. And I would assume that you would want to use a known vending machine company. I admit I don't know much about vending machines outside my own area. The ones around here are mostly from the same companies. Good security practices are still needed. People can...
  7. JJasonClark

    Extra parameters in sqrl:// link

    Yep. As far as I can tell there are no new security issues. A stale nut returns 0x20 and a used nut returns 0x20. Both still create a new return nut value that includes the hmac of the previous (stale/used nut) request. Also Steve's client properly handles this case and is still able to identify.
  8. JJasonClark

    Extra parameters in sqrl:// link

    I was really hoping this was the case. I've been thinking about the IOT uses for the SQRL protocol. Most of the things I can come up with would be easier with at least 1 other generic parameter to be included in the initial request to the SQRL server. For example: Imaging a vending machine with...
  9. JJasonClark

    Extra parameters in sqrl:// link

    Are extra parameters supported in the SQRL protocol link? For example… sqrl://sqrl.example.com/stuff?x=5&nut=abc123&state=private I know x and nut are supported, but what about state? Is there any parameter supported for extra data if its not named state?
  10. JJasonClark

    Release of package for server side via NodeJs

    Happy to announce the release of a package to handle the SQRL protocol at https://www.npmjs.com/package/sqrl-protocol. It is pre version 1.0 while I work on tests and documentation. It is fully functional. And I have used the package to add SQRL login to 3 different websites using the various...
  11. JJasonClark

    SQRL and self-sign certificates

    My sample site built with NodeJs and Express uses self signed certs. https://github.com/jjasonclark/sqrl-min-auth I use the url https://self.test:3000
  12. JJasonClark

    Must nuts be random?

    I absolutely love this idea and my implementation supports this now.
  13. JJasonClark

    Must nuts be random?

    Well shoot! I was hoping to avoid some database back and forth to set a nut. Right now I have to go through a process that might take a bit of time depending on how unlucky I am with random nut generation. The process is Create random nut Try to save it in the DB If fail because of uniqueness...
  14. JJasonClark

    Must nuts be random?

    An always advancing counter could handle this requirement. (I think Steve does this + Blowfish) Could this be mitigated by signing or encrypting the predictable nut? The attacker could know the next nut value, but wouldn't know the final value the user would be using.
  15. JJasonClark

    Must nuts be random?

    I’m wondering what kind of attacks can actually be done if an attacker can always predict what the next nut will be. The only attacks I can think of caused by predictable nuts might be denying users the ability to login via off device method. The attacker could, before the user can, issue an...