New Standard For Website Authentication Proposed: SQRL (Secure QR Login) 234
fsagx writes "Steve Gibson has proposed a new standard method for website authentication. The SQRL system (pronounced 'squirrel') eliminates problems inherent in traditional login techniques. The website's login presents a QR code containing the URL of its authentication service, plus a nonce. The user's smartphone signs the login URL using a private key derived from its master secret and the URL's domain name. The Smartphone sends the matching public key to identify the user, and the signature to authenticate it. It may be used alongside of traditional username/password to ease adoption."
Re:Steve Gibson is a... (Score:1, Interesting)
Re:Smartphone required to browse? (Score:2, Interesting)
Pull out your cellphone. Click. Now your IP on the cell and phone are tied to your browser session and it's IP address. If geolocating wasn't easy enough, they have you at a doubley coordinated vector.
This one bites-- why not a Yubikey or another more easily used and less invasive secondary auth? It's not so much the niceness of a secondary auth, rather, it ties too much data for somebody's hadoop mosh pit.
Re: Steve Gibson is a... (Score:3, Interesting)
But, one big problem I see with this, is likely that you will be giving your fucking phone number to every website you want to log onto using this.
I'm trying desperately to not give them any identifiable information on who I am, not more!!
Re:Google already dunnit (Score:3, Interesting)
I am *shocked* by the thought that Steve Gibson would claim something as an innovative and original idea that turns out to be old and tired. Shocked, I tell you! Surely this has never happened before... (http://www.theregister.co.uk/2002/02/25/steve_gibson_invents_broken_syncookies/)