Secure Quick Reliable Login (SQRL, pronounced “squirrel”) is a free and open-source program designed by Steve Gibson to replace the traditional username and password Web authentication process.
Using public-key cryptography, it allows a user to generate a single master token which can interface pseudonymously with websites, achieving login without having to reveal personal information or passwords.
Gibson performed the first SQRL login last week on the Security Now! podcast:
How It Works
Upon downloading the SQRL client (available on Android, iOS and all desktop operating systems), the client generates a 256-bit master token. This single token can be used for identity purposes indefinitely, if the user chooses.
A SQRL-supporting website would display a QR code on its login page. The user either scans the QR code with their smartphone, or clicks it from their desktop's mouse. The QR code contains the Web server's URL, which is then hashed with the user's master token to create a private key (which doesn't leave the user's client). The Web server then receives a URL that's cryptographically signed with the correct public key, and the login is authenticated.
“The beauty of that is now we have a per-site private key generated from our single master identity. […] The system is pseudonymous unless we associate it with our real-world identity. We also have a different identity for every site, so we can't be tracked across sites.”
Why It's Needed
Gibson told an audience at the 2014 DigiCert Conference:
“In this post-Edward Snowden era, I don't think any kind of third-party system makes sense. The problem is that you have to trust them. […] SQRL is a single solution that allows us to have a single identity, not be trackable across the Internet, it's cryptographically sound, and it solves the problem [of trust].”
Here Gibson explains SQRL in-depth at DigiCert: