It works, but...

  • New Wordpress Plug-In Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to the Wordpress plug-in which Daniel Persson originated and has been making great progress on. You'll find it under "Server-Side Solutions."

    /Steve.

jmcameron

New member
Oct 12, 2019
2
0
I just tried the android app and it works (v1.5.0). But there was one point of confusion for me: While I was in the process of installing the GRC SQRL client on my Windows 10 PC, I got to the page where it asks to backup my Identity (with the QR code, number/letter groups, etc). At that point, I paused and installed the android app and imported the new identity via scanning the QR code. But at this point, the android app asked me to enter my 6 number group rescue code because my identity was not finalized (I forgot the exact wording). I did not expect that, was a bit confused, and did not want to enter the rescue code on my android phone (on general security principles), so I aborted the import. Then I went back to the PC and finished up the install there and verified local sqrl:// access, etc. Then I went back to the android app and tried importing the identity and it all went as expected. I had to enter my password, but NOT my rescue code.

I was suggest extended the message when the identity is not complete to suggest that the user complete installing the identity on the source computer before importing it into the android app.

Nice work!

-Jonathan
 

ahauser

Well-known member
Feb 22, 2019
82
24
Hi Jonathan, and welcome to the SQRL forums!

When you're exporting an identity from GRC's windows client, no matter if it's upon creation of that identity or at some later point in time, you get the option to choose how the identity being exported can be "unlocked":

532

I've taken this screenshot while creating a new identity. As you can see, you have two options here. One will allow you to use the password or the rescue code to import the identity into another device, while the other one will strictly require the use of the rescue code.

I guess you must have checked the second option during creation of your identity.
If that is the case, what happended on the Android client is expected behaviour.
 

jmcameron

New member
Oct 12, 2019
2
0
Thanks. I remember making that choice, but apparently not reading it closely enough!

Thanks for the explanation.

-Jonathan
 

ramriot

Well-known member
May 24, 2018
73
9
Thank you Jonathan,

I think this single observation is very important & should not explained away as a trainable moment. If there is a UX that is at odds with the security model then this needs to be made failsafe for all users, not just those that RTFM.

As Jonathan observed, if a new user in creating & propagating their SQRL to all their devices makes the simple mistake of passing around the exported identity 'unprotected' they massively weaken the security model of only using the rescue code sparingly & securely for the elevated tasks of rekeying / unlocking etc.

I would suggest that anyone writing a client think very carefully before giving equal weight or even equal access to Protected & Unprotected exports.

FWIW that's my 2c

CORRECTION: When I said Unprotected I meant exporting only those blocks with the Rescue Code being used as the decryption key. Importing that type of export regularly instead of the entire identity is not recommended.
 
Last edited:

ahauser

Well-known member
Feb 22, 2019
82
24
I would suggest that anyone writing a client think very carefully before giving equal weight or even equal access to Protected & Unprotected exports.
There is no such thing as an "unprotected export". The exported identity either has the type 1 and type 2 blocks present, which means you can decrypt them with either your SQRL password or the rescue code, or just the type 2 block is exported, in which case only the rescue code will let you use the identity. In both cases though, the exported identity will be strongly encrypted. No client will hopefully ever export an "unprotected" identity.
 

ramriot

Well-known member
May 24, 2018
73
9
There is no such thing as an "unprotected export". The exported identity either has the type 1 and type 2 blocks present, which means you can decrypt them with either your SQRL password or the rescue code, or just the type 2 block is exported, in which case only the rescue code will let you use the identity. In both cases though, the exported identity will be strongly encrypted. No client will hopefully ever export an "unprotected" identity.
Thanks for the clarification correction posted