Secure Quick Reliable Login, login in the future?
Steve Gibson has suggested a new login system named Secure Quick Reliable Login (SQRL). [url=https://www.grc.com/sqrl/sqrl.htm]https://www.grc.com/sqrl/sqrl.htm[/url] What do you think of this, is it the future of login?
It is probably ONE future.
I recently read a couple of articles in Communicatioins of the ACM which clearly documented that username/password is not viable. Any rules we have about passwords are from the age of the tty terminal. A cheap GPU-based system now renders 64-character passwords vulnerable. We clearly need something better than a phrase we are able to remember.
The downside to SQRL is that you need a smartphone. Some people may have theirs handy at all times, but mine is as frequently being charged when I use the workstation. At least when I am in Norway. Not to mention that I often forget it there when I am away and want to use the laptop,
There is also the issue of stolen or lost phones. The app really needs to be well protected.
I would like to use a user certificate to log in. That is part of the mainstream ssl technology, so it will be well supported and maintained. The problem is how to securely transmit the certificate to the user. I think SQRL may be ideal for that purpose, and also for one-off or occational logins. Then you can use a certificate on computers you deem well secured and SQRL in other cases.
I see that they have refined the system now, and have addressed some of the same problems I mentioned.
Does Yubikey serve this function?