The Xenforo plugin doesn't have a way for a user to recover from lost identity


Status
Not open for further replies.

PHolder

Well-known member
May 19, 2018
1,225
205
See https://sqrl.grc.com/threads/unable-to-diassociate-old-sqrl-identity.1067/

The issue is that it requires a client to be able to access an identity to disassociate and there is no web-site supplied option to replace it (you currently need to disassociate first, which would be impossible if your lost your old one.)

I do realize if you're in SQRL only mode there is no fix that doesn't involve an Admin (assuming you can prove your right to do so.) But if you kept a userID and password, it should be possible to fix this. (What happens if you're hacked, for example, and totally lost control of your identity, you can't remove it without having it.)
 

Dave

Well-known member
May 19, 2018
487
99
Gardner, MA
See https://sqrl.grc.com/threads/unable-to-diassociate-old-sqrl-identity.1067/

The issue is that it requires a client to be able to access an identity to disassociate and there is no web-site supplied option to replace it (you currently need to disassociate first, which would be impossible if your lost your old one.)

I do realize if you're in SQRL only mode there is no fix that doesn't involve an Admin (assuming you can prove your right to do so.) But if you kept a userID and password, it should be possible to fix this. (What happens if you're hacked, for example, and totally lost control of your identity, you can't remove it without having it.)
Allowing any method to disassociate the SQRL ID from an account without HAVING the ID in hand would completely nullify SQRL's security improvement.
 
  • Like
Reactions: ramriot

ramriot

Well-known member
May 24, 2018
131
15
Allowing any method to disassociate the SQRL ID from an account without HAVING the ID in hand would completely nullify SQRL's security improvement.
Plus if you are using SQRL correctly this should not happen as identity recovery after a breach is built in to the protocol
 

Genghes

Member
May 16, 2019
6
3
Plus if you are using SQRL correctly this should not happen as identity recovery after a breach is built in to the protocol
IF you are using it correctly... ;)

Remember non IT people might be using SQRL soon..
How about the website allows disassociation without having SQRL as long as 'Request no account recovery' has not been set?
 
  • Like
Reactions: Dave

PHolder

Well-known member
May 19, 2018
1,225
205
Allowing any method to disassociate the SQRL ID from an account without HAVING the ID in hand would completely nullify SQRL's security improvement.
So what you basically said is that losing your keys to your front door of your house should be equivalent to never being able to enter your house again! Correct?
I think if the user left userID and password configured and enabled, they probably aren't ready to trust everything to SQRL. If they have the ability to access the account by non-SQRL means, they should have the option to remove SQRL from the account. If they want to disable that ability, it is easy to do in the SQRL client. As @Steve already stated, the SQRL only flag is for people who feel comfortable enough to trust SQRL only... but for people who are evolving that trust, they should have the option to screw up and recover without needing Steve's involvement.
 
  • Like
Reactions: Genghes

ramriot

Well-known member
May 24, 2018
131
15
So what you basically said is that losing your keys to your front door of your house should be equivalent to never being able to enter your house again! Correct?
No, lose your keys & you will need to call in a locksmith then prove to their satisfaction that its your property

Which is exactly the situation if you mess up with SQRL or any important site, where you will need to prove offline as to who you are, ever tried to prove to Google who you are to be let back into a hacked account.
 

PHolder

Well-known member
May 19, 2018
1,225
205
This is a case, again, of perfect being the enemy of good enough. These forums are not rocket science, there is no NSA secrets here, no one is going to lose any money if their account is hacked. It should be possible to self-remedy as many problems as possible. The case under discussion is such a case, IMHO.
 

Carl

Member
May 19, 2018
23
9
As I view this, I have explicitly said that I DON'T want my SQRL login to be given priority over, or that it should replace, my username and password.

My expectation when I associated this forum account with my TEST SQRL identity was that, as long as I don't change the settings to ditch usernames and passwords, I should have equal rights to access and control EVERYTHING on my account, regardless of whether I've logged in using SQRL or my username and password!

I disagree with the decision to require both having the SQRL ID and the rescue code to remove or replace the SQRL ID that's connected to the website account. Changing the settings to this server functionality should be an active choice, not the default.

To use the analogy above: it is like I have lost the keys to the front door of my house, but since I still have the keys to the side door, that uses a different lock, I get into my house without issue. After a year of having to use only the side door, I get a little annoyed that I can prove that I'm the owner of the house and that I am standing on the inside of that front door with the strong lock that no longer works for me - but the system is set up so that it doesn't matter that I can prove that I'm on the inside of the house and that my explicit wish has always been that my two sets of locks be treated equal, I'm still stuck with a lock that I can't replace and forced to use a less secure lock!
 
  • Like
Reactions: Genghes

Genghes

Member
May 16, 2019
6
3
No, lose your keys & you will need to call in a locksmith then prove to their satisfaction that its your property
Unless I have the keys to the back door of the house.. Then I get in and can open the front door from the inside and can change the lock myself.

Since I have NO way of proving who I am to the Admin of this forum, I should just abandon this account and create another then?
(Deleting my account is not an option I have found anywhere? #GDPR)
 

josecgomez

Well-known member
Aug 6, 2018
137
35
I agree it's a nightmare I myself started playing with SQRL a few years ago and I swear I stuck my rescue code in last pass
Lo and behold I have my SQRL password but the rescue code in lastpass doesn't match
That means that my identity on this site is (from a SQRL perspective) locked to me
I can't disassociate it which means I cant use my real SQRL identity which is now double backed up....
I think if you haven't sent a Hard Lock or a SQRL only flag it should let you disassociate without much fuss
 

ramriot

Well-known member
May 24, 2018
131
15
I agree it's a nightmare I myself started playing with SQRL a few years ago and I swear I stuck my rescue code in Lastpass
Lo and behold I have my SQRL password but the rescue code in lastpass doesn't match
That means that my identity on this site is (from a SQRL perspective) locked to me
I can't disassociate it which means I cant use my real SQRL identity which is now double backed up....
I think if you haven't sent a Hard Lock or a SQRL only flag it should let you disassociate without much fuss
If you have not set hardlock OR sqrlonly, then provided you have alternate means of authentication (Username & Password, Beg Steve) you SHOULD be able to add a new SQRL association & or remove the old one. The plugin SHOULD be offering this facility for users with the appropriate setup (I'm going to check later).

BUT, if you do not have alternate means of authentication & Steve is unhelpful then you are SOL.

This is unfortunately exactly the same situation you would be with any authentication protocol when you lose access to the prover, if you have no alternative & no in protocol recovery then you have to fall back on the site admin for help.
 

PHolder

Well-known member
May 19, 2018
1,225
205
The plugin SHOULD be offering this facility for users with the appropriate setup
This is the entire point of this whole thread. One presumes, if you select SQRL only mode, you couldn't even log in at all with a user ID and password to know the problem existed. So if you can log in, you should be able to fix it.
 

ramriot

Well-known member
May 24, 2018
131
15
OK, I just had a look around at the account management on Xenforo concerning SQRL & the basically is none. I have a usename & password as well as SQRL, I have no checked hardlock OR sqrlonly and yet I cannot remove the existing SQRL association the prelevent page even says (Disassociation of a SQRL ID can only be done with the SQRL client itself.) which I believe is false.

If I try to add an association post authentication with username & password I get the below:-

Oops! We ran into some problems.
You have authenticated with a different SQRL ID than the one associated with this account.

Something does not seem right here, please explain?
 

josecgomez

Well-known member
Aug 6, 2018
137
35
Right, that's what I was complaining about, no way to change your SQRL once you attach it if you don't have the rescue code (even if you aren't hard locked)
 

Ralle

New member
Jan 17, 2019
3
3
Hey guys,

It's been a while since I wrote the add-on, so my details might be a bit fuzzy.

From what I remember it's correct that you need the recovery code to remove SQRL from your account. And that's always the case.

I might be tempted to agree that if you have not configured 'sqrlonly' it might be weird that SQRL takes precedence over the password.

This is never something that came up when Steve and I discussed it and my vote would be to allow the change when users have not configured their account and ID to signal 'sqrlonly'.

I am however hesitant to change this unless Steve gives a go-ahead, but it seems like a reasoable step to take.
 
  • Like
Reactions: Carl and ahauser

ramriot

Well-known member
May 24, 2018
131
15
Hey guys,

It's been a while since I wrote the add-on, so my details might be a bit fuzzy.

From what I remember it's correct that you need the recovery code to remove SQRL from your account. And that's always the case.

I might be tempted to agree that if you have not configured 'sqrlonly' it might be weird that SQRL takes precedence over the password.

This is never something that came up when Steve and I discussed it and my vote would be to allow the change when users have not configured their account and ID to signal 'sqrlonly'.

I am however hesitant to change this unless Steve gives a go-ahead, but it seems like a reasoable step to take.
An interim step might be to allow a many-to-one relationship to exist to additional authentication keys can be added. This would be via the existing 'connected accounts' page and allow an already authenticated user to add a new SQRL site identity even if security prohibits a removal for now. I'm going to post this discussion onto the newsgroup for more detailed discussion.

Thread started here: https://grc.com/groups/sqrl:23676 or news.grc.com grc.sqrl:23676
 
Last edited:
Status
Not open for further replies.