Masking FaceID and the Advanced Toggle

[Walt Stoneburner]

So, this time when using Jeff's SQRL client to login, I covered up the front facing camera. This caused the SQRL client it fail recognition, let me cancel the face id, and get to the advance button (which I toggled on). Then I went to enter in the password ...the moment I selected the password field to give it focus, it indicated I got the password wrong, but I hadn't entered anything.

Then I went to enter in the password, which required the full password, and the SQRL client acted like everything worked just fine. But the forum never logged me in.

Confused, I went to re-initiate login. (For sequence sake, I accidentally clicked the QR code on the the web page, which having no Mac client installed, rendered an error about not being able to handle the URL; I then hit Back, and then redid the Login sequence.)

This time I pointed Jeff's SQRL client at the URL and got a different, unexpected result. The iOS SQRL client asked me if I was trying to associate my ID to the domain. Unsure, I clicked in the affirmative, and at that moment it delivered a short message it was doing so, and sure enough the forum logged me in.

I'm not sure if I was in some mid-cycle for logging in on the forum (like it was partly through the process and a new request came in before the first completed or what). Point being, it wasn't the smooth sequence I was doing a few moments ago repeatedly.

It'd be nice if there was some black-box flight-recorder in the iOS client (heck, hidden under advanced mode), that at least allowed me to see the last few messages the app had displayed so I could transcribe them here. [Version 1-0-281 8307 ]

At this point, I'm still not certain what "turning on" the Advanced switch did for me.

 

[Jeffa]

So, this time when using Jeff's SQRL client to login, I covered up the front facing camera. This caused the SQRL client it fail recognition, let me cancel the face id, and get to the advance button (which I toggled on). Then I went to enter in the password ...the moment I selected the password field to give it focus, it indicated I got the password wrong, but I hadn't entered anything.

Then I went to enter in the password, which required the full password, and the SQRL client acted like everything worked just fine. But the forum never logged me in.

Confused, I went to re-initiate login. (For sequence sake, I accidentally clicked the QR code on the the web page, which having no Mac client installed, rendered an error about not being able to handle the URL; I then hit Back, and then redid the Login sequence.)

This time I pointed Jeff's SQRL client at the URL and got a different, unexpected result. The iOS SQRL client asked me if I was trying to associate my ID to the domain. Unsure, I clicked in the affirmative, and at that moment it delivered a short message it was doing so, and sure enough the forum logged me in.

I'm not sure if I was in some mid-cycle for logging in on the forum (like it was partly through the process and a new request came in before the first completed or what). Point being, it wasn't the smooth sequence I was doing a few moments ago repeatedly.

It'd be nice if there was some black-box flight-recorder in the iOS client (heck, hidden under advanced mode), that at least allowed me to see the last few messages the app had displayed so I could transcribe them here. [Version 1-0-281 8307 ]

At this point, I'm still not certain what "turning on" the Advanced switch did for me.

This is mostly things getting confused due to my current experiments automatic use of the biometrics.

You can toggle auto use of biometrics off in Settings.

 

[Steve]

Jeff: I haven't been following along too closely, other than to be excited that a lot is clearly happening. But the phrase "automatic use of biometrics" is VERY encouraging and exciting! Yay!!!

 

[Gristle]

I suggest only using automatic biometrics if SQRL is in the position to guarantee it can't be MITM attacked (such as with same device login and CPS). For cross device login, don't we need the user to check the SFN before proceeding? If you blow right past it and authenticate automatically, you might as well not show the SFN at all, but then you lose protection.

I don't think it's too much to ask to tap the TouchID or FaceID button for cross-device logins.

 

[Steve]

Ah!!!! VERY good point, Thayne!! We no longer have the "SFN" (server friendly name) but we DEFINITELY want/need to encourage the verification of the authentication domain!

 

[Gristle]

oh my mistake. I meant the authentication domain.

Dumb question, but if browsers adopt SQRL natively, won't they be able to simply check that the sqrl:// authentication domain matches the https:// domain of the page they got the QR code from? If they don't match, then clearly it's a spoof who is showing some other site's QR code (amaz0n -> amazon). In that case, would we still need the user to verify the authentication domain manually if the browser can do it for us?

I assume that since your client has no knowledge of the contents of the browser's address bar, you need the human to verify the match...

 

[Walt Stoneburner]

Then I went to enter in the password, which required the full password, and the SQRL client acted like everything worked just fine. But the forum never logged me in.

Confused, I went to re-initiate login. ...

.... The iOS SQRL client asked me if I was trying to associate my ID to the domain. Unsure, I clicked in the affirmative, and at that moment it delivered a short message it was doing so, and sure enough the forum logged me in.

My point in mentioning the above was that I hit a case where the SQRL client gave me confirmation that I was logged in (presumably, it had just gotten confirmation from the server) -- but the forum didn't log me in.

Does this happen often? I'd rather the SQRL Client tell me something went wrong, please reload the page and try scanning a different QR code again, than to have in announce that I'm logged in but the forum remain at the login page. (This will hurt user adoption.)

Is the forum in some pseudo transitional state at this point?

The reason why I ask is because actually attempting a follow on login attempt, the SQRL client goes from instead of confirming the authentication is now asking about associating IDs. And, as a user, I won't understand why it's doing this.