Account options

[Robert]

Thank you for this app!

I have a question about the Account options.

After I've logged in to https://www.grc.com/sqrl/demo.htm, if I scan the QR code there are four Account options: unlock account, lock account, remove account, and alternative identity. I think I understand the last two, but not the first two. I've done some searching, but haven't been able to find an explanation for them. Could you please let me know how these two options work?

Thank you.

Robert

 

[PHolder]

Lock and unlock are options to prevent the use of the account. When you lock it, no one will be able to log in/use it until you unlock it. This is a safety feature that should virtually never need to be used. The premise is that someone has somehow stolen your identity. You're not at home when you learn of this, so you do not have access to your recovery code, stored safely at home (or in a safety deposit box, or similar.) So what you do is lock the account. You don't need the recovery code to do the lock operation. Now no one, not even you, can use it until you unlock it. You won't be able to unlock it without the recovery code. So when you finally get home, you can use your recovery code to rekey your identity (again, something that almost no one should ever actually have to do) and then you can unlock it and regain access with your newly rekeyed identity.

Key points:
- to lock, you need to visit each and every site you wish to lock against misuse
- to rekey, you need to visit each and every site you have used the identity with to update it with the new identity

because of the amount of work involved in these operations (if SQRL becomes widely adopted and one were to use it at many sites) it is STRONGLY recommended that you do not lock or rekey unless you have a good/reasonable reason to do so.

 

[Robert]

Thanks very much for the detailed explanation, and for the recommendation. Those are excellent safety features.

A few more questions:

When comparing the Android account options and the Windows authentication options do I assume correctly that the Android "Lock account" and the Windows "Disable all use of SQRL identity for authentication at this site." mean the same thing? And that "Remove account" and "Remove SQRL identity from site." also mean the same thing?

If the above is true, then if you select the Disable option in the Windows app, how do you Enable (or Unlock) the SQRL identity on that site?

Thank you.

 

[PHolder]

I have not really used the Android app, to be honest, so you'd be best to ask some questions over in the forum dedicated to that client. (Edit: And then I realized where I was actually posting *blush*. The forums UI needs to show the "breadcrumbs" at the top at all times, to remind one where they're posting.)

I have also never played with the lock/unlock, because, as I said, it is something almost no one should ever have need of.

My best guess would be you would attempt to authenticate at a site where you had done the disable, and then the client would realize this, and offer you the option to make a recovery.

As I understand it, SQRL is all about authentication, but the account management implementation has some flexibility for individual sites to apply some personality. Accordingly, how it works precisely on each site that implements SQRL may vary slightly.

 

[kalaspuffar]

Hi @Robert and @PHolder

First to answer Roberts question. Yes, the options are equal, behind the scenes the commands are called disable, enable and remove.

If you lock the account by any means from any client you use your password in the client. And if you supplied the option in the client to indicate to the server that only SQRL login should be allowed and that is honored then the account is totally locked until you unlock(enable) it.

If you visit the site and try to login the Android client will tell you that the account is locked. If you then choose the option to unlock you need to supply your rescue/recovery code as explained earlier.

Hope this helps

 

[Eichhörnchen]

Hi! I have tried to lock my account with the Android App, but it does not work ...

 

[kalaspuffar]

Hi @Eichhörnchen

Thank you for the heads up.

These features are seldom used so will test them to see if we have any strange behavior.

Verify that Lock, Unlock and Remove account work · Issue #363 · kalaspuffar/secure-quick-reliable-login

As we have done a lot of changes these features have not been tested recently and might have stopped working. Got a report in the forum about Locking not working. Will verify and fix any issues ari...

github.com

Best regards

Daniel

 

[Robert]

Hi @PHolder

Thanks again for the speedy reply, and for the additional information. I am continuing to explore the various features of several of the clients, and want to thank everyone involved for developing SQRL.

Robert

 

[Robert]

Hi @kalaspuffar

Thank you for confirming the definitions of the terms, and for the description for using lock and unlock.

I can confirm that Lock does not work at https://www.grc.com/sqrl/demo.htm, either before logging in or after logging in.

Robert