Videos demonstrating SQRL


sengsational

Well-known member
Feb 17, 2019
115
36
I'm surprised no reactions yet to these videos. They're awesome Adam. You are to be commended! You saved the best for last. The last 30 seconds of the last video are the "killer app" portion.

Now, I must say, that the discussion between the southern gentleman and you in the first video, along with the "mashing" of buttons in that one instance quite exposes you as a true southerner, hehe!

I'd like to personally thank you for your efforts here; you've made this really cool stuff more accessible. I think your activity is to be commended.
 

Dave

Well-known member
May 19, 2018
469
97
Gardner, MA
I'm surprised no reactions yet to these videos.
I don't recall seeing the first one.

They're awesome Adam.
I concur.

It is a non-issue since you plan to re-record it anyway but, there is a hiccup in the first one - presumably from splicing multiple takes - at 7:49 where your selection of export with rescue code only magically reverts to rescue code or password. But, again, nice work.
 
Last edited:

lrqsuser

New member
Mar 19, 2019
2
1
I am a bit confused with the videos (but I do like the demos, good job).

You stated that printing everything out is a good idea, for safe keeping and to protect against a key logger, but the app requires you to type the code, for confirmation, and you also have to type your password. If there is a key logger, it has all of the important information, it seems. Obviously you have other problems if you have a key logger installed on your machine.
 

hyp0strophe

New member
Mar 19, 2019
1
0
I'm surprised no reactions yet to these videos. They're awesome Adam. You are to be commended! You saved the best for last. The last 30 seconds of the last video are the "killer app" portion.
Well done Adam! I want a forum I frequent to be able to use this asap. It would very cool.
 

PHolder

Well-known member
May 19, 2018
1,171
190
If there is a key logger, it has all of the important information, it seems.
Well the assumption would be that it wasn't there when you created the identity, but was added (by a jealous soon to be ex-partner for example) at some point later. But yes, if you have that issue, you probably have much larger [financial] problems :D
 

SBlais

New member
Mar 16, 2019
3
0
Great videos Adam!!! you have the how to create and how to use videos.... When is the sales pitch video coming out? Basically the video that will get people to want to watch your demos! you know the viral video that will launch sqrl into the stratosphere o_O
 

fairlane

New member
Jun 14, 2019
4
0
What is the point of using SQRL to log into websites if you have to also enter the first four characters of your master password? I thought the whole point of the protocol was to set up your identity, then you can use the SQRL app from your mobile device to take a snapshot of the websites QR code and it would automatically log you in. You should NOT have to enter the first four characters of your password. Watching the two videos above, Adam clearly enters the first four characters of his password with two different identities a couple of times. Am I missing something? Is there an option to not have to enter those first four characters? If not, I don't see how this process eliminates passwords entirely.
 

Vela Nanashi

Well-known member
May 19, 2018
713
121
Biometrics can be used (on mobile clients) and one can set it to only require one character (on desktop and mobile). The reason for it is security, you don't want someone to be able to log into sites as you if they take your phone from you, or sneak in to your room and onto your desktop computer while you are fetching another cup of coffee. Also the grc client (windows desktop) encrypts the master key in memory and actually requires the quickpass to decrypt it, that way capturing the memory with the master key is hard.
 
  • Like
Reactions: Hzy and Simon9

Dave

Well-known member
May 19, 2018
469
97
Gardner, MA
What is the point of using SQRL to log into websites if you have to also enter the first four characters of your master password? I thought the whole point of the protocol was to set up your identity, then you can use the SQRL app from your mobile device to take a snapshot of the websites QR code and it would automatically log you in. You should NOT have to enter the first four characters of your password. Watching the two videos above, Adam clearly enters the first four characters of his password with two different identities a couple of times. Am I missing something? Is there an option to not have to enter those first four characters? If not, I don't see how this process eliminates passwords entirely.
When I make an ATM withdrawal and then try to make a second withdrawal in the same session, it asks for my pin again. This is to make sure that it is still me and not that I drove away without logging out and now someone else is requesting the second withdrawal. The use of the quick pass is just like that, except that, for convenience, you don't have to enter the entire password again. As has been pointed out repeatedly, you control how many characters the quick pass uses and you can set it to 1 if you choose. The intent is to provide a Secure Quick Reliable Login that gives web sites no secrets that they have to protect, not to leave the keys on the dashboard.
 

fairlane

New member
Jun 14, 2019
4
0
Biometrics can be used (on mobile clients) and one can set it to only require one character (on desktop and mobile). The reason for it is security, you don't want someone to be able to log into sites as you if they take your phone from you, or sneak in to your room and onto your desktop computer while you are fetching another cup of coffee. Also the grc client (windows desktop) encrypts the master key in memory and actually requires the quickpass to decrypt it, that way capturing the memory with the master key is hard.
Yeah well, regardless, the protocol was touted as not having to provide a password when logging into websites. In fact, that's not technically true, if you have to enter a password (or a portion of it) to log into a site. I was under the impression that after setting up the identity, you could navigate to a website on a desktop such as amazon.com, open up your sqrl app on your iPhone, hold the camera up to the qr code on Amazon's login page, scan the qr code and be logged into my account. Adding the step of having to enter a portion of your password is not really a benefit over using lastpass to autofill my amazon credentials. Take away that step and I'd use it. Otherwise it's just another way of logging into a website. Granted, using SQRL has the benefits of websites not storing any credentials, but having to type in a portion of the password in my mind defeats the purpose of convenience. You should only have to setup an identity and that's it. You shouldn't have an extra step of having to type a portion of your password every time you want to log in.
 

fairlane

New member
Jun 14, 2019
4
0
When I make an ATM withdrawal and then try to make a second withdrawal in the same session, it asks for my pin again. This is to make sure that it is still me and not that I drove away without logging out and now someone else is requesting the second withdrawal. The use of the quick pass is just like that, except that, for convenience, you don't have to enter the entire password again. As has been pointed out repeatedly, you control how many characters the quick pass uses and you can set it to 1 if you choose. The intent is to provide a Secure Quick Reliable Login that gives web sites no secrets that they have to protect, not to leave the keys on the dashboard.
Yeah no.. You shouldn't have to enter even one character. That's still a pain in the ass in my mind.
 

Vela Nanashi

Well-known member
May 19, 2018
713
121
Again with biometrics on a phone you only have to unlock it once every so often with your password and then just iris scan, face scan or fingerprint to log in. Also you replace lots of different passwords with one, and get higher security as sites don't have to keep the public key secret.
 

Dave

Well-known member
May 19, 2018
469
97
Gardner, MA
Yeah no.. You shouldn't have to enter even one character. That's still a pain in the ass in my mind.
Ah, the eternal struggle to find the perfect compromise between security and convenience. Perhaps a new client, or a new client version, will one day allow 0 rather than 1. For today, if typing a single character represents too great an obstacle, perhaps SQRL is not the solution you are looking for. Thank you for your interest and support.
 
  • Like
Reactions: warwagon

AlanD

Well-known member
May 20, 2018
121
22
Rutland, UK
Yeah well, regardless, the protocol was touted as not having to provide a password when logging into websites. In fact, that's not technically true, if you have to enter a password (or a portion of it) to log into a site. I was under the impression that after setting up the identity, you could navigate to a website on a desktop such as amazon.com, open up your sqrl app on your iPhone, hold the camera up to the qr code on Amazon's login page, scan the qr code and be logged into my account. Adding the step of having to enter a portion of your password is not really a benefit over using lastpass to autofill my amazon credentials. Take away that step and I'd use it. Otherwise it's just another way of logging into a website. Granted, using SQRL has the benefits of websites not storing any credentials, but having to type in a portion of the password in my mind defeats the purpose of convenience. You should only have to setup an identity and that's it. You shouldn't have an extra step of having to type a portion of your password every time you want to log in.
There are a couple of issues here:-

1 A password or other identifier, e.g. biometrics, is required to unlock your SQRL identity to allow you to login to sites. That seems to make sense, it is like having a lock on your front door.
2 After "an interval" you have to re-identify yourself to the app to continue to use it to login to sites. In Steve's client, this interval is fairly short, but you can re-identify yourself with a quick-pass, which can be 1-n characters of your password. The timeout could be longer, this is a tradeoff between security and ease of use. If the timeout is too long, the user runs the risk of another person picking up his device and mis-using it.
3 In terms of what the website has, they no longer need to hold a secret password to allow you to login. They need to hold an identifier, but this is your public key for that site. By definition, it is public, and not a secret, and also it is of no use on any other site.

The scenario that you quote is like buying a house with a front door with no lock on it.
 

PHolder

Well-known member
May 19, 2018
1,171
190
touted as not having to provide a password when logging into websites
I think you misunderstood what was on offer. It eliminates giving a password to a site to protect, not eliminating the use of good security practices. SQRL provides you with a "digital identity" and the current client requires proof that the human using the digital identity is the "correct" human. A different client could be made to work differently if the compromise in security was acceptable to its user base.
 
  • Like
Reactions: Hzy

PHolder

Well-known member
May 19, 2018
1,171
190
I have the Android SQRL client. Does it support biometrics?
I believe it does if your Android OS is Android P (or later.) (I have not personally tried.) I believe you need to supply your password for the first time, then as long as your QuickPass is enabled it will use the biometric instead if possible. (You will need to configure your QuickPass duration... the maximum is 1 week or something like that.) There is a forum for the Android client, you should check out some of the posts there.