Needing to scan login twice


Status
Not open for further replies.

sengsational

Well-known member
Feb 17, 2019
115
36
I have logged into this site while watching Logcat from my phone and what I can report is that it looks exactly the same when the login happens on the site and when it doesn't (I have experienced both). What I have presumed (not guaranteed to be accurate) was that it was something going on with the web site rather than the client, since the logs saved by the client looked the same. But there isn't a whole lot of logging going on in the client, so something different could have happened, but it just didn't look like it.

Do we have access to the logs on the web site? Maybe if I provided a timestamp and a nut, I could see what the web site thought about the transaction.
 

Jason L.

Member
Feb 2, 2019
15
0
It took me 2 attempts to login to this site.
  1. I click the login button on the site
  2. Moved my cursor on the QR code to enlarge it
  3. I launched the app on my phone,
  4. Clicked the blue SQRL button
  5. Pointed my camera at the QR code.
  6. Typed the full password; I clicked the button to show password (making sure I typed it correctly)
It then took 5 seconds to decrypt and then said "Contacting Server". I waited a little bit (10-15 seconds). My computer never refreshed with me logged in. The app never reported any error messages

I repeated steps 4-6; Step 6 only required the quickpass and I didn't show password. The computer refreshed with me logged in almost immediately.

I also tested the app on Steve's demo site and was able to log in on the first attempt. I am using v0.13.5 on a Moto E4 Plus running Android v7.1.1

I hope this info is helpful. I tried to think of everything that may be pertinent. If you need more info, let me know.
 

Peter Smith

Member
Feb 5, 2019
12
1
Hi Daniel,

I think I have discovered the reason for the client failing to log into the forum on the 1st attempt.

I have tested with client v0.14.0.

Using Firefox Inspector and monitoring the Network I can see what the network traffic is doing.

This is network traffic when you select the "Login" and it pops-up the QR code:

302

You can see the "png.sqrl" is retrieved for the QR code image pop-up and following this is the page polling the server with the "nut" for the QR code.

If you wait long enough, eventually the page will retrieve a different "png.sqrl" QR code.

303

By the time I get my mobile phone out, run SQRL client, scan the QR code, I enter my password into the client and then wait for the client to Decrypt/Encrypt and finally contact the server the Login page has retrieved and started looking for a different "nut" to authenticate. Hence why the client fails to login to the forum on the 1st attempt. If you try immediately scanning the QR code again the 2nd attempt works.

I did not record the time it takes for the Login page to retrieve a 2nd QR code, maybe 60sec.

Question, is the Login page supposed to be getting a 2nd, 3rd, etc QR code? Something Steve and Rasmus will need to look at.
 
Last edited:
  • Like
Reactions: kalaspuffar

kalaspuffar

Well-known member
May 19, 2018
296
106
Sweden
coderinsights.com
Hi Daniel,

I think I have discovered the reason for the client failing to log into the forum on the 1st attempt.

I have tested with client v0.14.0.

Using Firefox Inspector and monitoring the Network I can see what the network traffic is doing.

This is network traffic when you select the "Login" and it pops-up the QR code:

View attachment 302

You can see the "png.sqrl" is retrieved for the QR code image pop-up and following this is the page polling the server with the "nut" for the QR code.

If you wait long enough, eventually the page will retrieve a different "png.sqrl" QR code.

View attachment 303

By the time I get my mobile phone out, run SQRL client, scan the QR code, I enter my password into the client and then wait for the client to Decrypt/Encrypt and finally contact the server the Login page has retrieved and started looking for a different "nut" to authenticate. Hence why the client fails to login to the forum on the 1st attempt. If you try immediately scanning the QR code again the 2nd attempt works.

I did not record the time it takes for the Login page to retrieve a 2nd QR code, maybe 30sec.

Question, is the Login page supposed to be getting a 2nd, 3rd, etc QR code? Something Steve and Rasmus will need to look at.
Hi @Peter Smith

Great debugging. Hopefully, @Steve can give us a good explanation on what's going on and how to mitigate this.

Perhaps we can resolve this issue ones and for all :)

Best regards
Daniel
 

kalaspuffar

Well-known member
May 19, 2018
296
106
Sweden
coderinsights.com
Not really sure why they change the nut in while in transit but it seems reasonable as an error. Maybe we need to listen to two or three nuts like you do with RSA code dongles.
 

Steve

Administrator
Staff member
May 6, 2018
1,016
307
www.grc.com
I think I have discovered the reason for the client failing to log into the forum on the 1st attempt.
Peter: Try all of this at my demo site page: https://sqrl.grc.com/demo See whether you're able to make it fail there?

I suspect that this is something that Rasmus, who implemented our SQRL interface for these XenForo formus, has his page doing (to be helpful) but it's actually causing this trouble. His code must be requesting another nut after some delay, but it never should. Only the user's manual refresh of the page should be doing that. (Yes... I have just verified this behavior. I'll have Rasmus address this! Thanks, all!!)

And Daniel (@kalaspuffar): When these sorts of things arise on the forum site (since it's code is still newer), please always check behavior against my demo page. It should be regarded as the reference and it will help to avoid confusion. :)
 
G

Gristle

Guest
please always check behavior against my demo page. It should be regarded as the reference and it will help to avoid confusion
By the way Steve, that demo page is AWESOME. Thank you for maintaining it!

I specifically like how you allow for easy account deletion, because it allows demonstrating account creation which is one of the coolest features of SQRL. I think some people have gotten OK with using a PW manager to login, but no one is OK with how much of a royal pain in the *** it is to change your password or create a new account on a site.

My wife got super excited about SQRL when I told her it solves this problem. She said it's not uncommon for her to be right on the cusp of buying something from a new website, only to realize at the final checkout that she needs to create an account in order to complete checkout. Despite being a Lastpass user, she says she always abandons the purchases on these sites and decides "it just wasn't meant to be!" It's a shame because I bet a lot of these sites don't really want your information, they just want to sell their wares, but they need some sort of accounting for purchase tracking and customer service.

If I was that website owner, I'd bend over backwords to adopt SQRL. It's literally free money.
 
Status
Not open for further replies.