Security Encyclopedia

Secure, Quick, Reliable Login (SQRL)

Secure, Quick, Reliable Login (SQRL) is an open standard for authenticating users to web services. Pronounced “squirrel”, it does not rely on shared secrets such as the username and password scheme. Instead, it utilizes public-key cryptography (PKC) and software on the user’s device to securely identify the user.

In 2013 Steve Gibson of Gibson Research Corporation introduced SQRL. The technology requires an implementation by the service provider and either a mobile app or browser plugin on the user side. Users are required to remember just one password, delivering a user experience (UX akin to )single sign-on (SSO). Rather than releasing credentials, however, what the user enters does not unlock stored credentials. It actions a PKC exchange between the user and service using known information about the site with hashed values unique to the session and user. If using a mobile device to authenticate, the user is prompted to scan a QR code to initiate the cryptographic exchange. In either case, the session identifying token is comprised of the URL and additional characters.

SQEL is efficient for both enterprise and user. By exchanging unique public keys each time the user authenticates, there is no need whatsoever for the enterprise or service provider to implement username and password infrastructure. For users, SQRL negates the need for any password creation or management. It therefore avoids the weakness of the dominant form of shared secret based single-factor authentication (SFA). It also addresses, by limiting it, identity fragmentation or identity sprawl by not demanding the user own and manage passwords if the user’s preferred services adopt SQRL.

Example:

“We’ve implemented SQRL as an SSO solution to the challenge of identity sprawl created by many applications. Instead of creating and managing accounts for 10 company applications, our internal teams use SQRL to login with just one master password to rule them all.”