Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > No More Passwords

No More Passwords
Thread Tools
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 2, 2013, 03:57 PM
 
This idea broke today.

What happens: you go to a login page and there's a QR code. You snap a pic of the code with your phone and you're in.


What's under the hood: the QR code is to an URL on the site. This URL contains a long random number which is generated each time the page is served.

You have an app, which has your own private random number (your master key).

When you create an account on the site, the app creates a public-private key pair using your master key and the address of the QR code (minus the random number). This is your permanent (unless you revoke it), site-specific, public-private key pair.

You send the site your public key, and a signature for the entire URL (including the random number). If the public key unlocks the signature for the full URL, the site knows the login request has come from someone with your private key, which is you if you've done the "private" part right. That's it, you're in.

So, that's low-friction, nothing to remember (except a master password), and most importantly, the site never has your private key. If they get hacked, the hackers might get your info, but can't login as you.


I may not have gotten that 100% right in my explanation of how it works, but I'm close. You can get the full picture here

https://www.grc.com/sqrl/sqrl.htm
( Last edited by subego; Oct 2, 2013 at 04:10 PM. )
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Oct 2, 2013, 05:34 PM
 
That's pretty bad ass.

-t
     
exca1ibur
Mac Elite
Join Date: Oct 2000
Location: Oakland, CA
Status: Offline
Reply With Quote
Oct 2, 2013, 06:06 PM
 
Damn, good find.
     
Sealobo
Registered User
Join Date: Apr 2001
Location: The Intertube
Status: Offline
Reply With Quote
Oct 3, 2013, 12:00 PM
 
i think that's exactly how we login using web-based WeChat, one of the most popular mobile IM platforms.

there is nothing but a QR code there; just need to capture that with your WeChat app.

https://web.wechat.com/?lang=en
     
boy8cookie
Mac Elite
Join Date: Dec 2003
Location: I'll let you know when I get there...
Status: Offline
Reply With Quote
Oct 3, 2013, 02:35 PM
 
Someone steals your phone and they're in.

You lose your phone and you're out.
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 3, 2013, 04:52 PM
 
If you've never heard of DropBox, today is your lucky day. It's awesome.

http://www.dropbox.com



If you've never heard of how to lock a phone, may God have mercy on your soul.
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 3, 2013, 06:43 PM
 
Originally Posted by Sealobo View Post
i think that's exactly how we login using web-based WeChat, one of the most popular mobile IM platforms.

there is nothing but a QR code there; just need to capture that with your WeChat app.

https://web.wechat.com/?lang=en
Steve Gibson addressed the question of "did I invent something?"

His response: I don't care. I want to use it myself, so I'm putting it out there for all to use.

subego's commentary: patent troll in 3...2...
     
boy8cookie
Mac Elite
Join Date: Dec 2003
Location: I'll let you know when I get there...
Status: Offline
Reply With Quote
Oct 4, 2013, 03:21 PM
 
Oh so, a password on your phone?

I'm just playing devil's advocate here, it's a great idea; but, it has it's flaws.
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 4, 2013, 03:39 PM
 
Are you pointing out a flaw in the system, or in the (only slightly IMO) sensational title I chose?

Mea culpa. You may have one or two passwords.

Happy?
     
ort888
Addicted to MacNN
Join Date: Feb 2001
Location: Your Anus
Status: Offline
Reply With Quote
Oct 4, 2013, 04:54 PM
 
I haven't read the link, but what if instead of having to snap a QR code it instead just used Bluetooth or NFC? Wouldn't that be better?

QR codes suck.

My sig is 1 pixel too big.
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 4, 2013, 05:04 PM
 
I'd say their suck vector comes from being misused. This seems like a proper use (a constantly changing web address).

I'm not sure I understand how Bluetooth/NFC would work.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Oct 4, 2013, 05:40 PM
 
Originally Posted by ort888 View Post
I haven't read the link, but what if instead of having to snap a QR code it instead just used Bluetooth or NFC? Wouldn't that be better?

QR codes suck.
You should read the link, because what you suggest doesn't make sense.

-t
     
zro
Mac Elite
Join Date: Nov 2003
Location: The back of the room
Status: Offline
Reply With Quote
Oct 5, 2013, 12:21 AM
 
I started receiving phishing spam to the e-mail address (unique to them) I gave to DropBox.

I sent a support request wanting to know how this is possible. Did they sell my e-mail address or did they lose control of it?

They responded by informing me they currently have a high volume of support requests and that mine is very important to them and wouldn't be able to respond directly right away but would as soon as possible, 'kay?

They never responded.

**** DropBox. Let them eat 550.


Topic at hand... uh, yeah, that's neat. I'd rather not, though. Get off my lawn and what not.
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Oct 5, 2013, 12:39 AM
 
Happens to me occasionally, too. Even with reputable sites.

Let's not forget that email are sent in clear text, so intercepting valid email addresses is not such a big effort.

-t
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 5, 2013, 12:54 AM
 
Originally Posted by zro View Post
Topic at hand... uh, yeah, that's neat. I'd rather not, though. Get off my lawn and what not.
What doesn't appeal to you?

DropBox is only one way to accomplish a vital part of the system: a way to access your "keychain" without your phone. There are other ways to do it.

Likewise, the QR code method isn't required. It would suck if you had to take a picture of a QR code on your own phone, or didn't have a phone. The QR idea just happens to be an elegant way to do things on laptops/desktops if you have an easily unlockable (for you) security "dongle" with a camera on your person at all times. As luck would have it, that's what a smartphone is.

You could easily just enter in your master password in some browser extension on your laptop/desktop, and have it work that way (like LastPass or 1Password), but taking a shot of a QR code, assuming it's a well designed app, sounds a whole lot easier.

I do almost all my browsing on my phone, so I wouldn't even be able to use the QR code method. I'd have to either enter my master password every time (awful), let my phone assume it's me (like with an autofill now), or ideally, integrate the fingerprint scanner.
( Last edited by subego; Oct 5, 2013 at 01:07 AM. )
     
Uncle Skeleton
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status: Offline
Reply With Quote
Oct 5, 2013, 09:04 PM
 
Originally Posted by subego View Post
I do almost all my browsing on my phone, so I wouldn't even be able to use the QR code method
Couldn't you just use a mirror to let your phone see its own screen?
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 6, 2013, 04:50 PM
 
The camera should be able to read the QR code in the reflection of my eyeball, then it can do a retina scan and I've got my two-factor auth.
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 6, 2013, 06:51 PM
 
I'm listening to the podcast again, and (unsurprisingly) Steve has a better idea than DropBox.

His plan is you can generate an "exportable" version of your master key. It would be encrypted using Scrypt.

The idea behind Scrypt is there's little benefit to using parallel processors to decrypt it. If someone were to get a hold of the export version, each attempt to decrypt it would take enough time to start adding up quickly
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 9, 2013, 02:39 PM
 
Steve is (of course) talking about this on his show after it's had a week in the wild.

I'm still floored by how slick it is.
     
subego  (op)
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Oct 13, 2013, 07:21 AM
 
Originally Posted by Sealobo View Post
i think that's exactly how we login using web-based WeChat, one of the most popular mobile IM platforms.

there is nothing but a QR code there; just need to capture that with your WeChat app.

https://web.wechat.com/?lang=en
I'm getting curious about this. Do you also have a username and password?
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 01:30 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,