SQRL: Make login/password obsolete?

Discussion in 'other security issues & news' started by Grassman20, Oct 3, 2013.

Thread Status:
Not open for further replies.
  1. Grassman20

    Grassman20 Registered Member

    Joined:
    Jul 14, 2013
    Posts:
    26
    Location:
    USA
    Steve Gibson has submitted to the world his idea for replacing usernames and passwords on the web. It's very intriguing and he needs the security community to beat it up to look for vulnerabilities. What do you guys think? Could this be a viable solution for some of the security/privacy issues we face?

    Long video, start at 37:08: http://youtu.be/UZ-nZ50BNrA?t=37m8s

    More details: https://www.grc.com/sqrl/sqrl.htm

    EDIT: I can't make the youtube link clickable. I don't know what the deal is, so you'll have to cut and paste.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Very nice concept, except it requires a smartphone. The security, privacy, and availability of that weakens the idea in my opinion. A worthwhile alternative nonetheless, kinda like AirDroid login.
     
  3. Grassman20

    Grassman20 Registered Member

    Joined:
    Jul 14, 2013
    Posts:
    26
    Location:
    USA
    Personally, I like the idea of controlling my private keys rather than trusting the website or some third party. Yes, there's risk in having your private keys on your smartphone, but it seems to me that, if implemented properly, it can be every bit as secure, if not more secure, than trusting the server to keep your password safe. The proposed method gives complete control back to the end user which I would love to see.

    One problem I see is that this method would not prevent a MITM attack, but neither does our current system. If someone goes to facebo0k.com and enters their password, there's not much you can do to help those people anyway.
     
Loading...
Thread Status:
Not open for further replies.