Account options

  • New SQRL for .Net Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to TechLiam's "SQRL for .Net" server-side middleware. You'll find it under "Server-Side Solutions."

    /Steve.

R

Robert

Member
Jun 23, 2019
11
1
Thank you for this app!

I have a question about the Account options.

After I've logged in to https://www.grc.com/sqrl/demo.htm, if I scan the QR code there are four Account options: unlock account, lock account, remove account, and alternative identity. I think I understand the last two, but not the first two. I've done some searching, but haven't been able to find an explanation for them. Could you please let me know how these two options work?

Thank you.

Robert
 
P

PHolder

Well-known member
May 19, 2018
956
128
Lock and unlock are options to prevent the use of the account. When you lock it, no one will be able to log in/use it until you unlock it. This is a safety feature that should virtually never need to be used. The premise is that someone has somehow stolen your identity. You're not at home when you learn of this, so you do not have access to your recovery code, stored safely at home (or in a safety deposit box, or similar.) So what you do is lock the account. You don't need the recovery code to do the lock operation. Now no one, not even you, can use it until you unlock it. You won't be able to unlock it without the recovery code. So when you finally get home, you can use your recovery code to rekey your identity (again, something that almost no one should ever actually have to do) and then you can unlock it and regain access with your newly rekeyed identity.

Key points:
- to lock, you need to visit each and every site you wish to lock against misuse
- to rekey, you need to visit each and every site you have used the identity with to update it with the new identity

because of the amount of work involved in these operations (if SQRL becomes widely adopted and one were to use it at many sites) it is STRONGLY recommended that you do not lock or rekey unless you have a good/reasonable reason to do so.
 
R

Robert

Member
Jun 23, 2019
11
1
Thanks very much for the detailed explanation, and for the recommendation. Those are excellent safety features.

A few more questions:

When comparing the Android account options and the Windows authentication options do I assume correctly that the Android "Lock account" and the Windows "Disable all use of SQRL identity for authentication at this site." mean the same thing? And that "Remove account" and "Remove SQRL identity from site." also mean the same thing?

If the above is true, then if you select the Disable option in the Windows app, how do you Enable (or Unlock) the SQRL identity on that site?

Thank you.
 
P

PHolder

Well-known member
May 19, 2018
956
128
I have not really used the Android app, to be honest, so you'd be best to ask some questions over in the forum dedicated to that client. (Edit: And then I realized where I was actually posting *blush*. The forums UI needs to show the "breadcrumbs" at the top at all times, to remind one where they're posting.)

I have also never played with the lock/unlock, because, as I said, it is something almost no one should ever have need of.

My best guess would be you would attempt to authenticate at a site where you had done the disable, and then the client would realize this, and offer you the option to make a recovery.

As I understand it, SQRL is all about authentication, but the account management implementation has some flexibility for individual sites to apply some personality. Accordingly, how it works precisely on each site that implements SQRL may vary slightly.
 
Last edited:
kalaspuffar

kalaspuffar

Well-known member
May 19, 2018
270
91
Sweden
coderinsights.com
Hi @Robert and @PHolder

First to answer Roberts question. Yes, the options are equal, behind the scenes the commands are called disable, enable and remove.

If you lock the account by any means from any client you use your password in the client. And if you supplied the option in the client to indicate to the server that only SQRL login should be allowed and that is honored then the account is totally locked until you unlock(enable) it.

If you visit the site and try to login the Android client will tell you that the account is locked. If you then choose the option to unlock you need to supply your rescue/recovery code as explained earlier.

Hope this helps
 
kalaspuffar

kalaspuffar

Well-known member
May 19, 2018
270
91
Sweden
coderinsights.com
R

Robert

Member
Jun 23, 2019
11
1
Hi @PHolder

Thanks again for the speedy reply, and for the additional information. I am continuing to explore the various features of several of the clients, and want to thank everyone involved for developing SQRL.

Robert
 
  • Like
Reactions: BTGuy
You must log in or register to reply here.
Top Bottom