Websites using SQRL


PHolder

Well-known member
May 19, 2018
1,214
203
@WinBreach there are plenty of explanations how it works here on this site, maybe do some reading and learning?

It is listening, bound to localhost on port 25519 for connections from JavaScript on sites that have SQRL enabled. These forums have SQRL enabled, did you not use it here? It is still early days, not many sites offer SQRL logins at this time. Why did you decide to install it at all if you didn't understand what it was or why you want it?
 

Carl

Member
May 19, 2018
23
9
Whaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa?
You mean I went through all the trouble of creating SQRL to work and it's just hanging out in my computer using resources and doing nothing?
No web sites are SQRL accepting?
Yes, this is pretty much the current status, and it is to be expected. It's only been a few months since the creator of the SQRL protocol decided that version 1.0 of SQRL was to be considered finished, and updated the technical documentation to reflect this.

Since SQRL requires websites to implement server-side support, we have the "chicken-and-egg" problem where the use of SQRL clients has not taken off yet (since there aren't many sites to use SQRL on) and not many sites have taken the time to implement SQRL yet (because there isn't a large SQRL user base asking for this at this time)...

If we're unlucky, this is where SQRL lives and dies - in limbo land, waiting to be picked up by the world. We've seen this happen before, where good solutions (superior to their competition) never really take off, for one reason or the other.

Now, my bet is still on SQRL making it past this phase and becoming well-used, but it will probably take a little time. Some sites will surely implement SQRL and tout its advantages (especially having no secrets to keep) and this could put some pressure on competing sites when a demand for SQRL starts to build up. Then you can see a snowball effect in terms of implementation. Personally, I think the best thing that could happen for SQRL (other than a GIANT site implementing SQRL) would be for a good password manager to implement an integrated SQRL client. That would bump the number of users up enough to start spreading the word about SQRL, and it would speed up the adoption rate where sites implement SQRL support.

No matter how this plays out, I've come to the realization that it will take many more weeks/months/years than what I originally thought!
 
Last edited:

josecgomez

Well-known member
Aug 6, 2018
137
35
It is just sitting there waiting for a connection from a website that uses SQRL to use CPS.
That's the way it works, are you familiar with the SQRL Concept?
 

rxp

Member
Oct 15, 2019
14
1
We already have a place setup for that "SQRL Resources on the Web". So the INSTANT anyone other than GRC or a test server exists, we'll have them proudly and prominently listed there!
Do you have feedback as to WHAT is keeping website owners from giving SQRL a try on their servers? Do you, or does anyone else reading this, have any actual feedback from people running a website with authentication/login as to WHY they are not (yet?) implementing SQRL?

Those websites that know about SQRL but do not give it a try must think their costs (in a broad sense) of implementing SQRL on their server must outweigh their perceived potential benefits (again, not only in short-term dollar sense), or am I missing something? What are their considerations? Any "market research" insights on this?
 

PHolder

Well-known member
May 19, 2018
1,214
203
Well, inertia is the most logical answer to a lack of progress in any endeavour. Ye olde, "if it ain't broke, don't fix it." Websites (or rather online services offered via a website) see no advantage to changing what is already know to be working.
 

Sithmagic

Well-known member
Oct 12, 2019
75
21
The one question that I have seen asked is "Is SQRL ready for the enterprise" and someone else answered - "no, it's for personal use". This is a perception that will need to change, but that can only happen when more server side code is visible to a wider audience - anyone know someone with a wider social media following?

I know that others have mentioned having a different SQRL Id for work and personal - one way that can be done is using the "ALT" id function. Which adds an extra layer, since only you know what "ALT" id you have used - SQRL clients (not in the spec) don't record web sites, hence no means to record the ALT id used on a website.
 

diabolic

Active member
Oct 18, 2019
34
3
I think it's a bad idea to teach people to ignore the domain name in SQRL clients. When I use it to login to the twit community, I don't get that URL, I get SQRLoauth.com. Yes, I'm an advanced user, so I understand what's going on here, but if we train people to be OK with the domain not matching the site they're logging in to, then bye bye security, hello man in the middle. * Note, this only holds true for QR code login.
 
  • Like
Reactions: GoranLilja

josecgomez

Well-known member
Aug 6, 2018
137
35
I think it's a bad idea to teach people to ignore the domain name in SQRL clients. When I use it to login to the twit community, I don't get that URL, I get SQRLoauth.com. Yes, I'm an advanced user, so I understand what's going on here, but if we train people to be OK with the domain not matching the site they're logging in to, then bye bye security, hello man in the middle. * Note, this only holds true for QR code login.
That's what I made sure to use the Ask protocol to confirm the "real" domain with the user. But yes I agree there are downsides to this approach. However without things like OAuth providers server side adoption will be harder.
I agree with the point, but its a balancing act, we could wait for everyone on every platform to create a SQRL plugin but let's face it that likely won't happen.
 

diabolic

Active member
Oct 18, 2019
34
3
I'm not sure what you actually implemented with the Ask protocol, but on the iOS client, it doesn't appear to do anything different. It certainly doesn't prompt me to confirm the domain. Maybe iOS app doesn't support ASK?
 

josecgomez

Well-known member
Aug 6, 2018
137
35
I'm not sure what you actually implemented with the Ask protocol, but on the iOS client, it doesn't appear to do anything different. It certainly doesn't prompt me to confirm the domain. Maybe iOS app doesn't support ASK?
The IOS client doesn't yet support ask. @Jeffa will the new version?
 

rxp

Member
Oct 15, 2019
14
1
There's only one such someone, and that is @Steve, and he hasn't really been all that active here since SQRL reached GA.
That is unfortunate.

I suggest @Steve delegate enough admin rights on this forum to someone else who can take care of such house-keeping items.

Alternatively, I would suggest @Steve take down (or "hide" for the time being, if that is possible) the section "SQRL Resources on the Web" that is prominently shown on the landing page of this forum at the moment. Having @Steve 's 3 initial posts up there, seeing they were posted more than a year ago, and with hardly any sites listed / added there during all that time (at least that is my first impression), and the reply function disabled (probably in principle a good idea, but it looks all the more deserted that way, bit like a ghost town) is worse than not having that section there at all. If that section was not there, I would know I would have to dig deeper in the forum, and - although far from ideal - sooner or later I would find this here thread ("Websites using SQRL").
 

rxp

Member
Oct 15, 2019
14
1
Hi @josecgomez

I signed up over at twit.community using SQRL and created an account there. Seemed to work, I was logged in. Then I logged out and left the site.

Moments ago I was trying to log in there again. However, when I hit the Log In button, it took be to the OAuth page, and my phone app successfully scanned the QR code displayed by the OAuth site, and after that I confirmed on the phone the double check question ("Are you intending..."), and the OAuth page took me back to the twit.community page. However, not to my personal account there. Instead, it took me again to the default "Create New Account" window (screenshot attached) that I had already seen when I signed up originally. Obviously, I do not want to sign up again and create another account. In other words, I cannot get to my account on twit.community that I had set up earlier, using SQRL.
 

Attachments

PHolder

Well-known member
May 19, 2018
1,214
203
How did you initially sign up? Did you associate your SQRL identity with your account?
TwiTSQRL.png
 

josecgomez

Well-known member
Aug 6, 2018
137
35
Hi @josecgomez

I signed up over at twit.community using SQRL and created an account there. Seemed to work, I was logged in. Then I logged out and left the site.

Moments ago I was trying to log in there again. However, when I hit the Log In button, it took be to the OAuth page, and my phone app successfully scanned the QR code displayed by the OAuth site, and after that I confirmed on the phone the double check question ("Are you intending..."), and the OAuth page took me back to the twit.community page. However, not to my personal account there. Instead, it took me again to the default "Create New Account" window (screenshot attached) that I had already seen when I signed up originally. Obviously, I do not want to sign up again and create another account. In other words, I cannot get to my account on twit.community that I had set up earlier, using SQRL.
Unless you verified your email at sqrloauth you’ll need to associate your existing account in twit from the account association screen
It’s a security feature at twit to make sure you can’t associate with an email account that doesn’t belong to you.
Step 1 login to twit
Step 2 associate the account with sqrloauth ( as @PHolder shows)
Step 3 #Profit!
 

rxp

Member
Oct 15, 2019
14
1
How did you initially sign up? Did you associate your SQRL identity with your account?
Not sure if I understand your question. Associate how?
I had not had a twit.community account before. I thought in the sign-up process at twit, I had created an account at twit.community, simply by using the SQRL app with my SQRL identity on my phone in the sign up process.

What I did:
1. I went to twit.community with my browser on my PC.
2. I clicked on Sign Up, then clicked on With SQRL.
3. I was taken to a site sqrloauth.com..., where SQRL logo and a QR code are displayed on my PC monitor.
4. I scanned the QR code with the SQRL app and camera of my Android phone.
5. I entered the SQRL password and confirmed the "Are you intending...." question on my phone.
6. On the PC, I am taken to a "Create New Account" page for twit, which was pre-populated with some data, which I changed.
7. I received account creation email from twit at a temporary email address and clicked on the account creation confirmation link contained in the email. (I no longer have access to that email address.)
8. I was successfully logged in at twit.community, with the username I had chosen in the account creation form.
9. Later, I logged off from twit.community.

10. Later, I wanted to log in again at twit.community, to the account I had created earlier. Using same phone SQRL app with same SQRL identity I had used to create the account at twit, I thought that was all I needed:
11. At twit.community, clicked on Log In this time. As described in post #34 above.
 

rxp

Member
Oct 15, 2019
14
1
Unless you verified your email at sqrloauth you’ll need to associate your existing account in twit from the account association screen
It’s a security feature at twit to make sure you can’t associate with an email account that doesn’t belong to you.
Step 1 login to twit
Step 2 associate the account with sqrloauth ( as @PHolder shows)
Step 3 #Profit!
What do you mean by "verify your email at sqrloauth?" How? I did not recall seeing anything there telling me I needed to do that. (and why).
I did not have an existing account at twit before. Also, I do not recall an "account association screen" in the process.
 

josecgomez

Well-known member
Aug 6, 2018
137
35
What do you mean by "verify your email at sqrloauth?" How? I did not recall seeing anything there telling me I needed to do that. (and why).
I did not have an existing account at twit before. Also, I do not recall an "account association screen" in the process.
You don’t have to verify the account at sqrloauth if you don’t want to. But if you don’t then twit won’t trust it for a direct “sign up”
You’ll have to create a twit account then associate the sqrl account once you are logged in to twit
 

rxp

Member
Oct 15, 2019
14
1
You don’t have to verify the account at sqrloauth if you don’t want to. But if you don’t then twit won’t trust it for a direct “sign up”
You’ll have to create a twit account then associate the sqrl account once you are logged in to twit
I do not understand.
I did create an account at twit, using SQRL (as described in posts #34 and #37 above).
I WAS logged in at twit, so that WAS successful. I also did post there, using my newly created (via SQRL) account.

Only now, I cannot seem to log back in to the account that WAS created earlier.

How do I log back in to the account that WAS created earlier?