On 13 Nov 2013, at 11:29 PM, Walter Summonte <
wal...@summonte.com> wrote:
> Hi all,
> really i do not understand all this interest on old idea just restiled using QRCode to pass input data.
> The Challenge Response (
http://tools.ietf.org/html/rfc6287) is standardized and give simplest way to implement this kind of security.
> The trick to derive the url/pass/etc .. by a resulted response ... it's just a smart way to use the same concept.
> This solution is just a reinvented weel (square imho)
>
> Using a simple Challenge/Response extension in Google authenticator will give a simplest and better result.
I think you might be missing the point of SQRL. OCRA requires a shared secret; SQRL does not.
>
https://www.grc.com/sqrl/sqrl.htm
>
> It's an interesting idea. What do you think?
>
> "With Secure QR Login, your phone snaps
> the QR code displayed on a website's login
> page . . . . and YOU are securely logged in. "
>
> "
> Wishing to login to an online service where an “SQRL” code appears nearby:
> • The user launches their smartphone's SQRL app, and lets it see the QR code.
> (Or a smartphone / tablet user taps it. Or a laptop / desktop user clicks on it.)
> • For verification, the SQRL app displays the domain name contained in the SQRL code.
> • After verifying the domain, the user permits the SQRL app to authenticate their identity.
> • Leaving the login information blank, the user clicks the “Log in” button... and is logged in.
> (A bit of page automation could even eliminate the need to click the “Log in” button.)
> "
>
> Some implementations:
https://www.grc.com/sqrl/implementations.htm
> * drupal sandbox
> * php server side implementation
> * wordpress plugin
> etc.
>
>