Quick unlock - first few characters of password Vs. PIN

[Digitoxin]

Is there a requirement that the quick unlock uses the first few characters of the password or is this an arbitrary decision. Can an alternate SQRL client use a PIN instead? It would be great if the SQRL client allowed the user to use a PIN instead of the first few characters of the password as the quick unlock code.

 

[shanedk]

SQRL clients are free to use whatever alternatives they want. The Android client uses the fingerprint reader (if available), for example. But I don't see the advantage in using a PIN. At best, it would be just as secure as the first few characters of the password if those first few characters were numbers; otherwise, it'd be less secure.

 

[Steve]

@Digitoxin :

SQRL's client "QuickPass" (we've officially renamed it) is not part of the underlying SQRL spec. So, yes, clients are free to do whatever they please.

However, using a separate PIN would be tricky, since it would need to be protected by encrypting it inside the user's identity so that the only way to access it would be by decrypting the identity using their full password. This would require an extension of the SQRL identity storage format which would break all existing clients. And it also significantly complicates the user interface and user experience.

Could you explain why you think that a PIN would be superior?? I don't see any advantage.

 

[Paul F]

It would be great if the SQRL client allowed the user to use a PIN instead of the first few characters of the password as the quick unlock code.

Whatever your reason for wanting a PIN, you can make your SQRL Password = PIN+BasicPassword.

 

[Steve]

Whatever your reason for wanting a PIN, you can make your SQRL Password = PIN+BasicPassword.

Ha! Nice hack! Indeed.

 

[Vela Nanashi]

Hey Paul that was what I was going to suggest too, after reading op, but I decided read the rest, someone has to have that idea, and you did