Secure Quick Reliable Login (SQRL, pronounced “squirrel”) is a free and open-source program designed by Steve Gibson to replace the traditional username and password Web authentication process.
Using public-key cryptography, it allows a user to generate a single master token which can interface pseudonymously with websites, achieving login without having to reveal personal information or passwords.
Gibson performed the first SQRL login last week on the Security Now! podcast:
How It Works
Upon downloading the SQRL client (available on Android, iOS and all desktop operating systems), the client generates a 256-bit master token. This single token can be used for identity purposes indefinitely, if the user chooses.
A SQRL-supporting website would display a QR code on its login page. The user either scans the QR code with their smartphone, or clicks it from their desktop’s mouse. The QR code contains the Web server’s URL, which is then hashed with the user’s master token to create a private key (which doesn’t leave the user’s client). The Web server then receives a URL that’s cryptographically signed with the correct public key, and the login is authenticated.
“The beauty of that is now we have a per-site private key generated from