QR Codes: Login Authentication Using SQRL


Steve Gibson from Security Now! and ShieldsUP! has created a new method of authentication. It is Secure QR Login or SQRL for short. Steve has created a smart phone app that will allow you to create a certificate for authentication and replace your password. You would use this app to authenticate with any website that you use SQRL with.

Your QR code will contain the domain and a master key, and when scanned, a public and private key will be generated. Your public key or user name will never change. Your private key will be encrypted. When you encrypt your QR code with your private key, sites will know it is you because they can verify you did this with the private key by using your public key. This is because of how public key cryptography works.

Here is Steve Gibson’s visual representation of this:

This new technology, although convenient, can pose a risk to whomever owns the SQRL. Without a proper backup of the SQRL you would lose all the passwords associated. Depending on how secure the cryptography is on the QR code, you may not be able to decrypt it. Since this is targeted towards mobile devices I would advise caution when using this method to authenticate servers or workstations that hold sensitive data.

A bit more information on QR codes (Source: Wikipedia):

QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional barcode) first designed for the automotive industry in Japan. A barcode is an optically machine-readable label that is attached to an item and that records information related to that item. The information encoded by a QR code may be made up of four standardized types (“modes”) of data or, through supported extensions, virtually any type of data.