|
|
No More Passwords
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
This idea broke today.
What happens: you go to a login page and there's a QR code. You snap a pic of the code with your phone and you're in.
What's under the hood: the QR code is to an URL on the site. This URL contains a long random number which is generated each time the page is served.
You have an app, which has your own private random number (your master key).
When you create an account on the site, the app creates a public-private key pair using your master key and the address of the QR code (minus the random number). This is your permanent (unless you revoke it), site-specific, public-private key pair.
You send the site your public key, and a signature for the entire URL (including the random number). If the public key unlocks the signature for the full URL, the site knows the login request has come from someone with your private key, which is you if you've done the "private" part right. That's it, you're in.
So, that's low-friction, nothing to remember (except a master password), and most importantly, the site never has your private key. If they get hacked, the hackers might get your info, but can't login as you.
I may not have gotten that 100% right in my explanation of how it works, but I'm close. You can get the full picture here
https://www.grc.com/sqrl/sqrl.htm
(
Last edited by subego; Oct 2, 2013 at 04:10 PM.
)
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
That's pretty bad ass.
-t
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 2000
Location: Oakland, CA
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Registered User
Join Date: Apr 2001
Location: The Intertube
Status:
Offline
|
|
i think that's exactly how we login using web-based WeChat, one of the most popular mobile IM platforms.
there is nothing but a QR code there; just need to capture that with your WeChat app.
https://web.wechat.com/?lang=en
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2003
Location: I'll let you know when I get there...
Status:
Offline
|
|
Someone steals your phone and they're in.
You lose your phone and you're out.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
If you've never heard of DropBox, today is your lucky day. It's awesome.
http://www.dropbox.com
If you've never heard of how to lock a phone, may God have mercy on your soul.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Originally Posted by Sealobo
i think that's exactly how we login using web-based WeChat, one of the most popular mobile IM platforms.
there is nothing but a QR code there; just need to capture that with your WeChat app.
https://web.wechat.com/?lang=en
Steve Gibson addressed the question of "did I invent something?"
His response: I don't care. I want to use it myself, so I'm putting it out there for all to use.
subego's commentary: patent troll in 3...2...
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2003
Location: I'll let you know when I get there...
Status:
Offline
|
|
Oh so, a password on your phone?
I'm just playing devil's advocate here, it's a great idea; but, it has it's flaws.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Are you pointing out a flaw in the system, or in the (only slightly IMO) sensational title I chose?
Mea culpa. You may have one or two passwords.
Happy?
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2001
Location: Your Anus
Status:
Offline
|
|
I haven't read the link, but what if instead of having to snap a QR code it instead just used Bluetooth or NFC? Wouldn't that be better?
QR codes suck.
|
My sig is 1 pixel too big.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
I'd say their suck vector comes from being misused. This seems like a proper use (a constantly changing web address).
I'm not sure I understand how Bluetooth/NFC would work.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by ort888
I haven't read the link, but what if instead of having to snap a QR code it instead just used Bluetooth or NFC? Wouldn't that be better?
QR codes suck.
You should read the link, because what you suggest doesn't make sense.
-t
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Nov 2003
Location: The back of the room
Status:
Offline
|
|
I started receiving phishing spam to the e-mail address (unique to them) I gave to DropBox.
I sent a support request wanting to know how this is possible. Did they sell my e-mail address or did they lose control of it?
They responded by informing me they currently have a high volume of support requests and that mine is very important to them and wouldn't be able to respond directly right away but would as soon as possible, 'kay?
They never responded.
**** DropBox. Let them eat 550.
Topic at hand... uh, yeah, that's neat. I'd rather not, though. Get off my lawn and what not.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Happens to me occasionally, too. Even with reputable sites.
Let's not forget that email are sent in clear text, so intercepting valid email addresses is not such a big effort.
-t
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Originally Posted by zro
Topic at hand... uh, yeah, that's neat. I'd rather not, though. Get off my lawn and what not.
What doesn't appeal to you?
DropBox is only one way to accomplish a vital part of the system: a way to access your "keychain" without your phone. There are other ways to do it.
Likewise, the QR code method isn't required. It would suck if you had to take a picture of a QR code on your own phone, or didn't have a phone. The QR idea just happens to be an elegant way to do things on laptops/desktops if you have an easily unlockable (for you) security "dongle" with a camera on your person at all times. As luck would have it, that's what a smartphone is.
You could easily just enter in your master password in some browser extension on your laptop/desktop, and have it work that way (like LastPass or 1Password), but taking a shot of a QR code, assuming it's a well designed app, sounds a whole lot easier.
I do almost all my browsing on my phone, so I wouldn't even be able to use the QR code method. I'd have to either enter my master password every time (awful), let my phone assume it's me (like with an autofill now), or ideally, integrate the fingerprint scanner.
(
Last edited by subego; Oct 5, 2013 at 01:07 AM.
)
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Nov 2002
Location: Rockville, MD
Status:
Offline
|
|
Originally Posted by subego
I do almost all my browsing on my phone, so I wouldn't even be able to use the QR code method
Couldn't you just use a mirror to let your phone see its own screen?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
The camera should be able to read the QR code in the reflection of my eyeball, then it can do a retina scan and I've got my two-factor auth.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
I'm listening to the podcast again, and (unsurprisingly) Steve has a better idea than DropBox.
His plan is you can generate an "exportable" version of your master key. It would be encrypted using Scrypt.
The idea behind Scrypt is there's little benefit to using parallel processors to decrypt it. If someone were to get a hold of the export version, each attempt to decrypt it would take enough time to start adding up quickly
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Steve is (of course) talking about this on his show after it's had a week in the wild.
I'm still floored by how slick it is.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Originally Posted by Sealobo
i think that's exactly how we login using web-based WeChat, one of the most popular mobile IM platforms.
there is nothing but a QR code there; just need to capture that with your WeChat app.
https://web.wechat.com/?lang=en
I'm getting curious about this. Do you also have a username and password?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|