Recent content by ramriot

  1. ramriot

    New User I Have Questions

    From the above discussions I wonder if you have completely understood the core aspects of SQRL? This may help: https://onedrive.live.com/view.aspx?resid=86B915ACE9C0D278!6621&ithint=file%2cdocx&authkey=!AA_TeK2aUL4iDrA
  2. ramriot

    How can I "ALWAYS verify the website domain"?

    If I may summarise, SQRL used in same device mode (click, tap, NOT scan) with Client Provided Session CPS active is reasonably immune from simple phishing attacks & will inform you right away should an attacker be doing so That said it is not a perfect solution as any attack that can alter your...
  3. ramriot

    Changing SQRL Password - do I have to do it on every instance?

    Except most platforms that use such biometric local authentication do so via a secure enclave & not inside any client software. This means that the biometric is not stored anywhere the main system can get hold of it & the enclave mediates access to decryption keys upon presentation of valid...
  4. ramriot

    Problem with "Dummy" QR Code

    BTW discussion elsewhere on Dummy QR codes, my position is there is a standard for that >> https://sqrl.grc.com/threads/maybe-we-should-invent-an-official-place-holder-qr-code-for-sqrl.1098/post-9176
  5. ramriot

    Maybe we should "invent" an official Place Holder QR Code for SQRL?

    I suggest that if we ever need a dummy QR for a placeholder then we follow long standing practice of using example.com etc ( https://en.wikipedia.org/wiki/Example.com ) say of a QR code for the string "sqrl://example.com/sqrl?nut=StaticDummyNutValue"
  6. ramriot

    Websites that could use help adopting SQRL

    This is not necessarily true, SQRL is completely independent of traditional username & password authentication. There is no implied intention for the earlier method to exist on any site using SQRL. All that is required is for the site to be able to associate in either a 1:1, 1:Many, or Many:1...
  7. ramriot

    Hardware hackers, here's your chance to make a SQRL dongle of some sort

    This is correct, I toyed with this idea a while back. My chosen solution was to use flash memory on the device to store a portable client app & the encrypted identity file, then use a very cheap secure memory card/chip to store the decryption key that our EnScrypt function outputs on the PC...
  8. ramriot

    scrypt ASICs

    Bottom line here is the proportion of how much it costs to get a certain quantity of Hashes per Second. Choice of hash function or memory hard parameters determines how cost efficient a certain technology will be. For comparison SHA256 (A la Bitcoin) the normalised ratios of CPU / GPU / ASIC...
  9. ramriot

    The Xenforo plugin doesn't have a way for a user to recover from lost identity

    An interim step might be to allow a many-to-one relationship to exist to additional authentication keys can be added. This would be via the existing 'connected accounts' page and allow an already authenticated user to add a new SQRL site identity even if security prohibits a removal for now. I'm...
  10. ramriot

    The Xenforo plugin doesn't have a way for a user to recover from lost identity

    OK, I just had a look around at the account management on Xenforo concerning SQRL & the basically is none. I have a usename & password as well as SQRL, I have no checked hardlock OR sqrlonly and yet I cannot remove the existing SQRL association the prelevent page even says (Disassociation of a...
  11. ramriot

    The Xenforo plugin doesn't have a way for a user to recover from lost identity

    If you have not set hardlock OR sqrlonly, then provided you have alternate means of authentication (Username & Password, Beg Steve) you SHOULD be able to add a new SQRL association & or remove the old one. The plugin SHOULD be offering this facility for users with the appropriate setup (I'm...
  12. ramriot

    The Xenforo plugin doesn't have a way for a user to recover from lost identity

    No, lose your keys & you will need to call in a locksmith then prove to their satisfaction that its your property Which is exactly the situation if you mess up with SQRL or any important site, where you will need to prove offline as to who you are, ever tried to prove to Google who you are to...
  13. ramriot

    Unable to diassociate old SQRL identity

    This demonstrates to me that you perhaps did not set up that identity correctly otherwise you would have had the IUK backed up offline. This is unfortunately how we learn. Best option is for you to fall to your knees & pray to @Steve for redemption.
  14. ramriot

    The Xenforo plugin doesn't have a way for a user to recover from lost identity

    Plus if you are using SQRL correctly this should not happen as identity recovery after a breach is built in to the protocol
  15. ramriot

    Is the "kiosk-scenario" a realistic one?

    Just clarifying, many online services maintain the state of authentication via session records, Logging out will often just delete that record server side rendering the local session cookie useless. A kiosk attacker (after the fact) wishing to use left behind session cookies will be thwarted...