Websites using SQRL


iezer

New member
Jun 28, 2019
1
0
We already have a place setup for that "SQRL Resources on the Web". So the INSTANT anyone other than GRC or a test server exists, we'll have them proudly and prominently listed there!
Hi, thanks for the all the work you do, I am a long time "Securitynow" listener. What would be great if more people would adopt SQRL so we can all have the deserved security on the web. What if you do a youtube promoting SQRL?
Thanks

Bogdan
BC, Canada
 

Alex-Nossovskoi

New member
Dec 4, 2019
1
0
Hey Steve, also a Securitynow listener, recently heard your SQRL announcement event, and decided to give SQRL a try. It's not really visible, but I've used your Wordpress plugin on a few sites that I manage, including my blog: https://www.basicallystartups.com/. Noticed during setup across multiple devices the password doesn't carry over, this is a non-obvious behaviour to a new user, I thought I was doing something wrong, and recreated multiple identities, until I figured it out. In any case, neat solution, let's get it to more places.
 

PHolder

Well-known member
May 19, 2018
1,207
202
Noticed during setup across multiple devices the password doesn't carry over
Well just for clarification, the password can and should carry over if you export your identity with the password. Basically, if you do the export that way, the importing client should ask you for it. If the importing client asks for your Recovery Code, then it will not have the password to use.
 

ramriot

Well-known member
May 24, 2018
127
15
Well just for clarification, the password can and should carry over if you export your identity with the password. Basically, if you do the export that way, the importing client should ask you for it. If the importing client asks for your Recovery Code, then it will not have the password to use.
This I think has been mentioned before & highlighted by me as a UX issue, just to reiterate to client builders that if you give identity export with & without password protection equal promotion in your UI then people will use the latter to the detriment of system security.

I believe that use of export without password (rescue code protected) should be strictly limited for long term identity backup only, it should never be used for syncing identity across devices as the attack surface of a device with malware is multiplied & the exposure is complete, instead of using export with password where the exposure would be recoverable via rekeying.
 

PHolder

Well-known member
May 19, 2018
1,207
202
How do we not yet have SQRL Login for ____x____
Well the simple answer, no matter which site you care to ask about, is that the site needs to have the option added, and as it is early days, there is not SQRL server code/plugins for many platforms. In the TWiT Community example, this means someone needs to figure out how to do a plugin for Discourse.
 
  • Like
Reactions: josecgomez

Hzy

Active member
Feb 27, 2019
38
6
Bama
It's there now 😁
Attempted to register, but just takes me to the regular email signup. Also, this confirmation is a little less than "friendly" and includes the scary bit at the end. After that it takes me to email/confirm and personal info i.e. regular acct signup.

1579313472500.png
 
  • Like
Reactions: rxp

PHolder

Well-known member
May 19, 2018
1,207
202
You're using OAuth. OAuth communicates information from an identity provider to a consumer, such as full name, email, and location. The SQRLoauth.com site allows you to configure your information that will be provided, or it will generate random information. The warning is confirming that you're okay with the OAuth protocol sending this real or fake information from SQRLoauth.com to twit.community.

Each site requires whatever it requires for signup. twit.community requires email and other things. This is explicitly nothing to do with SQRL.
 
  • Like
Reactions: josecgomez

josecgomez

Well-known member
Aug 6, 2018
137
35
Attempted to register, but just takes me to the regular email signup. Also, this confirmation is a little less than "friendly" and includes the scary bit at the end. After that it takes me to email/confirm and personal info i.e. regular acct signup.

View attachment 613
To clarify like @PHolder said
The sqrloauth.com does generate a "regular" account for you. But it does it with random information not your own, it is up to you how much or how little real information you give it.

The reason for this is what most sites like twit require it. As a compromise I chose to have that information be whatever you want.

If you want to be legitimate then you are free to update or populate that information with your real information and verify your email , but you don't have to.

When you head over to twit and login using sqrloauth that information is passed to twit and matched to your user account to authenticate.

If the email and such doesn't match that's fine you still have the option to assert who you are at twit first (via username and password) and then lmk your sqrl account at which point it "trusts" that you are who you say you are regardless of the email matching and links your accounts.

For that point on when you login to twit using sqrl all it passes is your unique user id (random nonce) and twit matches it with the associated ID in their system and it logs you in.

sqrl is great but no matter what people are going to want to get your information I don't see a future where you can go around with sqrl and nothing else .
That's not how the internet works or how the internet economy functions although it is pie in the sky...

As far as the "scary bit" it's just sqrloauth asking you if you are ok authenticating a 3rd party like twit with your sqrl login, otherwise anyone could trick you into authenticating to the wrong 3rd party site
 
Last edited:

Sithmagic

Well-known member
Oct 12, 2019
75
21
"scary bit"
Not sure you can resolve this, but here goes at trying to please everyone all of the time. Can the wording of this be clearer to non-technical user, but still provide technical details?
For Example

Your friendly login helper here, I think you are trying to get to TWIT Community Forums, but they have asked for more details. Do you wish to provide some, or shall I make something up for you (technical details below)?
Dialog BUTTONS: [Make something up] [I will provide details] [I don't understand]
(from sqrloauth.com requesting access to http...)

Perhaps not exactly like this, and it may make for large dialog, or small text, but I hope you can see my point.
This may even help avoid "just clicking" through the OK buttons.
 
  • Like
Reactions: rxp

WinBreach

New member
Feb 1, 2020
4
0
Whaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?
You mean I went through all the trouble of creating SQRL to work and it's just hanging out in my computer using resources and doing nothing?
No web sites are SQRL accepting?
I check my TCP viewer and SQRL is just listening.
So now what?
How is this supposed to work?
I mean I thank GRC since Win2000 to now but is this thing even on?
Anyone who has a clue please explain how this works.
I'm using windows7.
 

Attachments