Secured QRL Codes!
You probably are wondering about this. I heard it from Steve Gibson and he calls it “squirrel” Code. It basically helps those who are worried about security and privacy. I just didn’t want to forget to talk about this myself. Ever since I heard the podcast entitled “SQRL Episode 424”, my mind has been trying to get a handle of the whole thing.
What most people don’t know and haven’t yet figure out is how useful a QR Code is. I did not think of this solution and would of laughed if I did. It is really simple, but yet from what I have heard and understand it could be a game changer in the next few months. I just have a few things that I must be fixed and standardized. I wanted to share them with you and maybe in the same instants help the community with this problem.
One Time Login “OTL”
Since we are basically logging in every time we use a different QR Code we are only allowing one instance of the login for each time we use a SQRL login. Thus we will need to limit the time and when we can use that one QR to login. We also must figure out how we will deal with collision logins. This is where the site or server sends out the same securely generated long random number to two different users. This could happen if say we were using this on like Facebook or Twitter. It is unlikely but possible, unless we disallow it to only be used once and then we get into the ridiculousness of even longer random numbers. The only thing I can come up with is using the date and time to create the cryptographic challenge. This would change the it from any two different users from getting the same challenge and thus we would avoid the collision of logins.
Pretty Good Privacy
The next problem is which encryption key would we want to associate with the smartphone. I personally think PGP is a good one to start off with and maybe even create the public key that is needed to accomplish this. The Smartphone in question could be linked in some way to a server with our public key PGP. I am unsure as to how well this will work but it would allow us to share that key whenever needed. It may not work but I am thinking we should only use Open Source encryption and thus this is one of the many options.
If the Smartphone is stolen?
This is where PGP can be very useful, we could Revoke the key and tell everyone else this is is no longer trusted and thus we prevent illegal logins to our services. I’ve heard people do with PGP and thus it should be really easy to implement in SQRL but again, I am not a designer or even ever created things like this so I thought we should at least throw that out and see what people say about it.
Needs to be Available Everyone
It needs to be available on IOS, Android, and even Windows systems. When this happens it will make it that much easier for this to succeed.
As you can see I have these small questions that need to be answer and I even saw some others which I will gladly link to to better help those who may want to explore more into this realm that Steve has started.
- SQRL (Steve’s Site)
- SQRL Reddit Comments (Comprehensive to say the least)
- SQRL Drupal Development (Nothing yet but a Squirrel)
What do you have to say about this and are you curious to see this happen or do you think this will even work. I may have missed something or do not fully understand it but at least I am wanting this to succeed. What is your thoughts on this?