Login History

  • New Wordpress Plug-In Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to the Wordpress plug-in which Daniel Persson originated and has been making great progress on. You'll find it under "Server-Side Solutions."

    /Steve.

ThyKoopa

New member
May 13, 2019
2
0
I am going to be honest, I haven't read to SQRL paper yet (it's on my todo list).

It would be really interesting if there was the ability to see a history of where and when your SQRL login was used. I'm thinking specifically the iOS app. The main screen right now is just "Scan SQRL QR code". It would be cool to see a list of logins there.

I don't know if the protocol can support showing all uses of an identity or if it would be limited to logins done using that application.
 

PHolder

Well-known member
May 19, 2018
918
124
protocol can support showing all uses of an identity
This has nothing to do with the protocol. It has everything to do with the client having a memory. The popular belief, among the SQRL leadership is that the client should not have a memory for a number of reasons, most specifically the KISS principle. Others would be free to build a SQRL client that has other features, of course.
 

ThyKoopa

New member
May 13, 2019
2
0
It has everything to do with the client having a memory.
The support from the protocol I was referring to was a sync between the clients. If I log in via the Windows client, it would be cool to see that on my iOS client.
But if the design choice was to not store anything on the client, that’s fine by me!
 

AlanD

Well-known member
May 20, 2018
93
16
Rutland, UK
There are two issues here. Firstly, there was a design decision, at least for Steve's reference client, that he would not hold history for several reasons. Secondly, there is currently no way to sync a Windows and iOS client ( or any other), as neither client has any knowledge of the other, and no way to communicate. Each client, and each copy of the SQRL database is independant, that is why, if you have to rekey, you need to do it on all your devices.
 

Paul F

Active member
Apr 11, 2019
37
6
Toronto
If you rekey each independently you will end up with several different identities
That is a very important point. If you rekey two devices separately then each device causes a different website to rekey to it, it will take major surgery on the identity files with the help of a SQRLmeister to fix things. And if it can happen it will happen.
 

Vela Nanashi

Well-known member
May 19, 2018
633
107
Not exactly an ideal situation no, and I am not sure how to easily fix that, it might be fixable in a more automated way if we can import multiple identities into a client and tell the client "I want all of these merged into this new identity" and then whenever it encounters any of those old identities it rekeys them to the new identity it has. I however think such a client needs more than four previous identities to keep track of everything, and also needs to see what keys it has and remove duplicate ones.
 

Vela Nanashi

Well-known member
May 19, 2018
633
107
You could set up a way to encrypt to the key only the client knows (derived from the master secret) and store opaque authenticated blobs on the server, that way all you need to trust is that they don't delete it. It would otherwise be TNO.
 
hosting your own server isn't something that most people will do.

Is site tracking something that people really want? I mean I can see both sides of the argument, but I'm not sure which side makes more logical sense. Should it be the SQRL client's responsibility to show you everywhere you use SQRL? Let's say you delete an entry in the database, that doesn't mean that site now doesn't have you SQRL association, so how do you handle that? Just feels like there are so many ways this could go wrong and end up confusing people even more.
If you deleted a record from a SQRL client it wouldn't matter for the same identity the same IDK, PIDK, SUK and VUK are sent so youd only effect yiur special client that tracks where yiu have logged in.

On the tracking point yes apple track and yes others might for SQRL but the ability is reduced significantly by SQRL compared with traditional OAuth systems.

That said before I read this I posted this https://sqrl.grc.com/threads/logging-and-diagnostics.943/#post-7783 for discussion
 

PHolder

Well-known member
May 19, 2018
918
124
Is site tracking something that people really want
I feel like you're playing both sides of the street. On the one side you think SQRL is DOA because __x__. On the other side you say do people really want __x__.

I think people would really like it to just work, without them ever having to use their brain even once. "Just work and just keep me safe, even if I am stupid and attempt to do stupid things like give my account information to Nigerian Princes." I think there are so many different opinions on what people think they want that a solution will never make everyone perfectly happy. At this point, however, I feel like something needs to happen (a live experiment if you will) so we have empirical data for future decisions.
 

Vela Nanashi

Well-known member
May 19, 2018
633
107
The problem is, any third party that can recover you, if you have lost your password, rescue code and identity, could use said identity (they have rescue code and identity), and since they have that, they can also test if you are registered on sites they are interested in, though that really is the least of ones concern in that case, as they can log in and do whatever they want, and I think that is worse than simple tracking.

That is why I am very TNO :)

As for those people who failed to preserve the rescue code, they will most likely learn to do better, and would not be the people who would activate the no account recovery options in the client anyway, so they can recover on each site the normal way, assuming they gave enough other information to sites to do so.

I have probably said all this before and so I will stop here, I do want the option for trusting someone else to be available during identity creation, but I don't want it to be forced in that step, there has to be a just as easy path to say "no I am dealing with this myself"