I'm unsure what you're referring to here, but I think you are mistaken.import an Identity without entering the password
Operational Note: This SQRL identity database bundles the GRC SQRL client user's user-interface preferences, including the time required to process a full password input. When this identity is imported into a compatible client running on a platform having a different processing speed - either a different PC or a mobile device - that SQRL client will obtain that user's preferred password processing time. Although different environments (for example, mobile) might suggest a differing security posture and password processing overhead, the client can note when a large difference exists between the processing time of the origin device - as revealed in the bundled time specification - and the current platform. The client can offer to immediately re-encrypt the user's just entered password to re-normalize all future password processing time.
I totally agree, but I don’t think Steve’s client reencrypts on import.Please note that having to use the password when importing an identity into a different client is by design. This is because each client should honor the "password verify seconds" identity setting, which is only possible when decrypting the identity with the identity's current enScrypt settings and then re-encrypting it, determining the correct scrypt iteration count for the current device "on the fly" to accomodate for the password verification time set in the identity.
Otherwise, an identity created on a super powerful computer could take ages on a low-end smartphone to decrypt and vice-versa.
This is a quote from https://www.grc.com/sqrl/SQRL_Cryptography.pdf, page 21:
Here's some related information: https://sqrl.grc.com/threads/small-suggestions-re-identity-backup-export-output.1002/post-8405I totally agree, but I don’t think Steve’s client reencrypts on import.
NOTE: One should NEVER sync identity to a new device with an exported file that is NOT one protected by a user provided password. Reason being that without that protection you will need to use the rescue code at least once on the new device before setting a user password & if the new device is already compromised then you have lost complete control of your SQRL identity & the re-key operation will not help you in recovering that security.With Steve's app I can import an Identity without entering the password until it's needed. Having the same functionality here would make importing an identity quicker. It would also allow the identity to use the Rescue Code if the password was forgotten.
Hi there,I'm unsure what you're referring to here, but I think you are mistaken.
You can "import" outside the app by copying the identity file into the correct folder. Inside the app, you need to have either the rescue code or the password.
Thanks, I didn't even think about copying the files, I just used the camera on my second laptop and noticed it didn't ask me for the password while the ios app did.NOTE: One should NEVER sync identity to a new device with an exported file that is NOT one protected by a user provided password. Reason being that without that protection you will need to use the rescue code at least once on the new device before setting a user password & if the new device is already compromised then you have lost complete control of your SQRL identity & the re-key operation will not help you in recovering that security.
I'm comparing my experience with the ios app against the windows app and contrasting the work flow differences around importing an identity (scanning qr code to be clear) in the two applications.Unfortunately now I am even more confused. The GRC client is a Windows client. It doesn't run on a phone.
I actually generated the identity with the GRC Client quite a while ago, but the machine got wiped and I was adding it back.Okay, well I have never imported into the GRC client, and most especially not using a camera. TBH I didn't even know it could read a QR code. It sounds like the GRC client does not re-encypt the identity, and it REALLY should, IMHO. @Steve will have to explain his rationale for that. I was under the impression that the recovery code would be needed with an identity encoded without one, so it may be the case that the client you used to create the QR code that you imported into the GRC client is not giving you the option to choose which way to export it? Which client did you use to generate the identity that you imported into the GRC client?
I agree, this is something that could (and probably should) be added to the spec to allow for rare but unpleasant situations like the one described by @Brian Buchanan above.Given that a rescue-code-recoverable backup is a subset of a password-recoverable backup, the client could allow the user the option to import a password-recoverable backup either way.
You should be able to do everything you want with the GRC client: Import the .sqrl file or QR code. Export it as "rescue only" .sqrc file or QR code; or reset the password and export it as "password+rescue code" .sqrl file or QR code.
Right, Paul, good point!You should be able to do everything you want with the GRC client: ...