SQRL is officially released but not usable... on iOS

[Sukima]

I don't wish to be negative but over the past six years of waiting and watching Steve login with his iPhone I am beside myself that I can not do this myself. There is no SQRL client for iOS in the iOS app store!!!

Normally I wouldn't complain but when Steve is publicly proclaiming that SQRL is ready for main stream adoption and there is no iOS solution this is a MAJOR disconnect and for many a non-starter. I can only imagine attempting to talk about SQRL to my chief security officer at my job and have to defend that none of our iOS using employees or customer cannot use SQRL it kind of defeats the whole point SQRL was meant to address.

The source is closed. This is taking a very long time. What does done look like. Can't we get the app Steve uses out and then fix it as time goes? Does it really have to be perfect before SQRL is ready for iOS adopters?

Ultimately at this point. Is it worth waiting for one developer to graciously donate their time this client or should others begin looking into making their own?

Again I apologize for calling you out but this has been a really long time, conflicting marketing on Steve's part, and infrequent status updates. Am I the only one with these concerns/problems?

 

[PHolder]

There is no SQRL client for iOS in the iOS app store

Ummm... have you looked at any of the other threads here on these forums? There IS an iOS client, but it's still a work in progress and so is not out of beta, and thus is not available to download from the store. It's a little complicated because of Apple, but you need to join a program allowing you to install beta apps and then request access from the developer to become a beta tester.

Edit: Go here and click the link: https://sqrl.grc.com/pages/getting_started_with_sqrl/ which should take you here: http://eepurl.com/bfmQ3z which is a form to fill out and says:

We are testing using Apple Test Flight, for this to work you must subscribe using the email of the Apple id that is in use on the device.
Please install Apple testflight app from the Appstore. (https://itunes.apple.com/gb/app/testflight/id899247664?mt=8)

 

[Sukima]

PHolder, I think you missed the intent of the original message. I am not going to tell my Grandmother to do all that. Also I did do that... twice... No dice, no email, nothing. It is a broken system and I wish Steve himself would stop advertising the iOS client when it cannot be downloaded from the store.

Beta is fine but it hasn't been updated since June (see forum posts). But when it is walled off from the general public but the creator is advertising publicly that it is available there is a very serious problem!

Maybe this is all too technical. The fact is there is not an iOS client available (today) to the very demographics that would and could effect adoption. No CISO I know of nor fellow co-workers would be willing to even look at this without a sound mobile solution they can try in their hands today. If I were to enable SQRL on my sites I cannot expect my users to submit to a TestFlight testing program.

I ask:
* Can we get a realistic status on what is blocking a release?
* Is it good enough to let the public use it and continue to update? What is needed for MVP that cannot allow the general public to try it? Because the beta works for Steve in his public demo. Isn't that good enough for now?
* Can Steve Gibson please stop advertising something that isn't available yet? Placing the cart before the horse hurts the community and the validity of SQRL itself
* Is it realistic for another project or alternative be considered while this one is (to put it bluntly) still waiting in beta.

 

[PHolder]

no email, nothing. It is a broken system

I hate to tell you this, but the problem is on YOUR end, the process works just fine... I went though it myself immediately after communicating with you how to do so. You need to give it the email address of your iOS device's AppleID. It will fairly quickly send you an email asking you to confirm your subscription to the beta mailing list, and when you do so, it will then send you another email with a code to enter into TestFlight. If you're not getting the emails, I suspect the issue is that they're getting caught up in spam filtering in your email provider.

I agree with you there needs to be a more polished app, but free work happens at a pace that is not the same as paid work. @Jeffa presumably has paid work he has to attend to to feed his family, and when he can, he spends time on the SQRL app.

Is it realistic for another project or alternative be considered while this one is (to put it bluntly) still waiting in beta

You're not going to like what I have to say about this, so I will keep my opinion to myself except to say: the real problem is Apple and its closed garden mentality. An entire community of developers came together to get the Android app into great shape in no time. This model just doesn't seem to work in an Apple world for whatever reason.

Also, I think the beta approach in use right now is just fine because there is a lack of adoption of SQRL amongst web sites, so there isn't a massive demand for people to get a client yet. More pull from more websites will probably yield more work on more clients. It's still early.

 

[Jeffa]

Again I apologize for calling you out but this has been a really long time, conflicting marketing on Steve's part, and infrequent status updates. Am I the only one with these concerns/problems?

Well you stung me into posting a progress update at least:

https://sqrl.grc.com/threads/nov-2019-update.10

If you would like to send me a PM with the email you subscribed with I would be happy to help you.

Welcome to the SQRL community. I and the other 1074 testers look forward to your ongoing input.

 

[robmille]

I'm never going to install a test flight client to get SQRL. I hope this project succeeds, but I can't imagine how it will ever have any chance without an app in the App Store. Test Flight is not a mass market plan.

 

[PHolder]

I don't think anyone was pretending otherwise. You should stick with what you're comfortable with. Unfortunately Apple has stupid rules that benefit it and no one else, that prevent a work in progress, that is mostly functional, from being made freely available. If you want a different choice, they certainly do exist.

 

[robmille]

I disappointedly am. I want SQRL to work, but I'm iOS and even if I weren't iOS is the platform an app has to be on to ever make it. I'll keep checking for when it makes it to the app store.

 

[JSF]

Test Flight is the ONLY option for testing Beta software on iOS devices. You are NOT going to change that. Until JeffA finishes up the iOS client and releases it on the Apple App store, this is your only way to get the client. If you are unwilling to install test flight, then you will need to wait until it's available in the App Store.

Just because SQRL the PROTOCOL is finished and released by SteveG, does not mean that CLIENTS on other platforms are finished and ready for prime time. Remember, SteveG created the protocol and the Windows Client. All other clients are NOT associated with Steve or GRC. If you have a problem with how Steve is marketing SQRL, take that up with him.

 

[brianoflondon]

I agree this is a significant problem. What we really need to see is SQRL functionality built into the other major Password apps like 1password and LastPass. Geoff's app is functional but has no UI to speak of.

 

[Jeffa]

I agree this is a significant problem. What we really need to see is SQRL functionality built into the other major Password apps like 1password and LastPass. Geoff's app is functional but has no UI to speak of.

Yep could be prettier.

 

[JSF]

I agree this is a significant problem. What we really need to see is SQRL functionality built into the other major Password apps like 1password and LastPass. Geoff's app is functional but has no UI to speak of.

SQRL has not real interface per say. Look at the Chrome and Firefox extensions. Neither one has a significant interface.

Look at competing technologies, FIDO2/WebAuthn for example. There is not any real User Interface. It's all back end crypto. Any integrations are done on the back end system, web server, etc.

Not saying that Jeff's app is perfect, or even finished. He's done the best he can given the constraints of the Apple App store, the SQRL protocol, and his available resources.

 

[PHolder]

FIDO2/WebAuthn for example

Well the Windows Hello UI portion is pretty clever, IMHO


But yes, most of the rest of it is on the site doing the implementing, rather than anything in any client.

 

[JSF]

Well the Windows Hello UI portion is pretty clever, IMHO
View attachment 595

But yes, most of the rest of it is on the site doing the implementing, rather than anything in any client.

Touche... ;^)


Interesting note, that dialog box is mostly generated by the WebAuthn API. Microsoft is hooking into WebAuthn.

Now if Microsoft would get its FIDO2/CTAP AD login out the damn door!

 

[brianoflondon]

To claim there is no UI or need for a UI is a bit flippant.

Creating a new ID, restoring an ID and a host of other essential features are all needed and they all need a UI and would benefit from a real, well funded, development effort. To some extent, just like so much of the crypto currency world, absent these things mass adoption will not happen.

 

[JSF]

Let's be realistic. SQRL is BLEEDING EDGE technology and only suitable for very technical individuals at this point.

No mainstream website has implemented SQRL yet. Heck, W3C ratified and published the WebAuthn spec in April and we are just now seeing any significant web sites implement it. And those that are have been providing U2F functionality over the last few years. WebAuthn is the "update" to U2F and not a heavy lift to migrate to from U2F.

As with any new and disruptive technology, there is an entire ecosystem that must be built to support it. JeffA's iOS client is a perfect example of that. Developers won't support new technologies until they are finished and stable and not continuously changing. The SQRL spec was just "finished" in November. We are a few months into this.

The folks who come here and "complain" that JeffA's iOS client is not complete, or any other of the SQRL ecosystem pieces, just don't understand how new technologies are rolled out. There are way to many moving parts and people involved to instantly implement SQRL everywhere. It's the nature of a decentralized "thing" like the internet.

If folks want a "well funded development effort" then FUND IT. Send enough money to JeffA so that he can spend his full time developing the features you want. But you must first clearly define those features with a set of requirements and use cases.

As as with all things technology, it's a catch 22. No one will implement new technology without all the parts in place. No one will build the parts until it's a well deployed technology. Why are we still using SMS text codes as 2nd factors for accessing our financial institutions? There are plenty of much more secure options, such as FIDO2/WebAuthn. Banks don't want to spend money on "new" technologies as it's not their primary business. Until we, their customers, demand more secure options, this will not change.

Ok, off my soapbox now.