Thanks for the pointer, but I'm initially very skeptical. Not to judge a book by it's cover but that website looks like it was made in 1990. They also don't do a very good job explaining what this is. I found this:
It says "Using a SQRL app, a master identity is created and shared among the devices. Websites which support SQRL logon trigger the app to securely identify the user."
How does this happen? How can a website talk to an app?
The first document, SQRL explained, does a decent job describing how the system works. Having to download a PDF to read text on a website isn't the greatest of UX experiences.
The talking to seems to happen through a custom sqrl: URI-scheme. That's something that's supported by most platforms I know of; Steam uses the same mechanism to start installing a game you purchased in the browser, if I remember correctly.
To me, it's much more concerning that they do such a bad job of telling me what SQRL does than the fact that the page looks dated. At least it's clean-looking.
But I clicked around for a while and only found some videos that might show me what SQRL does, but I didn't actually feel like watching a video, so I still don't know.
Based on what I read, it sounds like snake oil so far. Too good to be true. I don't remember the phrase, but it suggested it would be my last password solution ever, which just sounds like snakeoil.
Also, it seems like only the Windows implementation is mature. All other implementations are by third parties and are marked as not being complete.
I would recommend reading through at least the first PDF on the site to get an idea of what it is and how it works. The short version is: It's a replacement password manager-esque protocol that enables logging into a web server while leaving no compromise-able secret in the servers database.
> Some web sites have started to offer support for passwordless authentication using FIDO2 hardware keys. This offers similar security properties to SQRL (in some ways arguably better), while also being very simple to use.
Right.
> A major downside is difficulty of backup. The private keys are locked inside the hardware and cannot be accessed in any way.
That's a feature, not a bug. You buy at least 2 keys (1 backup), ideally 3 (2 backup).
As for SQRL, I never took anything serious at grc.com/Steve Gibson. He was all about snake oil 20 years ago, and probably still is.
Why is this better than WebAuthn? It looks almost the same but WebAuthn has much more support. It can use software-defined keys like Krypton though certainly it would be good for browsers to have standard APIs for this stuff.
The spec was recently completed and there are multiple efforts to bring it into a more well rounded existence. The work is being done by volunteers, so it may take some time to become a reality across the internet, however, the seeds are all there to make it work and with some dedication from volunteers I think it has a bright future as possibly being the preferred password manager in the future. If you browse the SQRL forums, you can get an idea of where all the different efforts are playing out, but there is no real central repo of all SQRL code. https://sqrl.grc.com/
https://sqrl.grc.com/pages/introductory_questions_and_answer...
It says "Using a SQRL app, a master identity is created and shared among the devices. Websites which support SQRL logon trigger the app to securely identify the user."
How does this happen? How can a website talk to an app?
Also where is the source code?