SQRL

The acronym SQRL was coined by Steve Gibson and the protocol drafted, discussed and analyzed in-depth, by himself and a community of Internet security enthusiasts on the {{samp|news.grc.com}} newsgroups and during his weekly podcast, Security Now!, on October 2, 2013. Within two days of the airing of this podcast, the W3C expressed interest in working on the standard.{{cite web |first=Steve |last=Gibson |author-link=Steve Gibson (programmer) |url= https://www.grc.com/sn/sn-425.txt |title=SQRL Q&A #176 (Transcript) |date=October 9, 2013 |work=Security Now! |issue=425 |publisher=Gibson Research Corporation |via=GRC.com |access-date=October 16, 2013}}

Google Cloud Platform developers Ian Maddox and Kyle Moschetto mentioned SQRL in their document "Modern Password Security for System Designers".{{cite web |first1=Ian |last1=Maddox |first2=Kyle |last2=Moschetto |title=Modern Password Security for System Designers |url= https://cloud.google.com/solutions/modern-password-security-for-system-designers.pdf |work=Cloud.Google.com |date=2019 |access-date=March 7, 2021}}

A thesis on SQRL analyzed and found that "it appears to be an interesting approach, both in terms of the envisioned user experience as well as the underlying cryptography. SQRL is mostly combining well established cryptography in a novel way."{{cite thesis |type=BSc |first=Karol |last=Babioch |title=Security Analysis and Implementation of the SQRL Authentication Scheme |date=May 15, 2014 |editor-first=Thomas |editor-last=Kittel |publisher=IT Security, Department of Informatics, Technical University of Munich |url= https://www.sec.in.tum.de/finished-work/publication/318 |url-status=dead |archive-url= https://web.archive.org/web/20160305153938/https://www.sec.in.tum.de/finished-work/publication/318 |archive-date=March 5, 2016 |access-date=March 18, 2015}} English-language abstract; full text of original German paper, "Sicherheitsanalyse und Implementierung des Authentifikationsverfahrens SQRL", does not appear to be available.

The protocol is an answer to a problem of identity fragmentation. It improves on protocols such as OAuth and OpenID by not requiring a third party to broker the transaction, and by not giving a server any secrets to protect, such as username and password.

Additionally, it provides a standard that can be freely used to simplify the login processes available to password manager applications. More importantly, the standard is open so no one company can benefit from owning the technology. According to Gibson's website, such a robust technology should be in the public domain so the security and cryptography can be verified, and not deliberately restricted for commercial or other reasons.

SQRL has some design-inherent and intentional phishing defenses,{{cite web |last=Gibson |first=Steve |author-link=Steve Gibson (programmer) |date=2014 |title=Revolutionizing Website Login and Authentication with SQRL |url=http://vimeo.com/112444120 |access-date=March 7, 2021 |publisher=DigiCert Security Summit |via=Vimeo}} but it is mainly intended to be for authentication, not anti-phishing, despite having some anti-phishing properties.{{cite web |last=Gibson |first=Steve |author-link=Steve Gibson (programmer) |title=How SQRL Can Thwart Phishing Attacks |work=GRC.com |publisher=Gibson Research Corporation |date=December 6, 201 |url= https://www.grc.com/sqrl/phishing.htm |access-date=March 7, 2021}}

For the protocol to be used on a website, two components are necessary: an implementation, that is part of the web service to which the implementation authenticates, which displays a QR code or specially crafted URL according to the specifications of the protocol, and a browser plugin or a mobile application, which can read this code in order to provide secure authentication.{{Cite web |title=CAS - SQRL Authentication |url=https://unicon.github.io/cas/development/protocol/SQRL-Protocol.html |access-date=2025-06-03 |website=unicon.github.io}}

The SQRL client uses one-way functions and the user's single master password to decrypt a secret master key, from which it generates – in combination with the site domain name and optionally an additional sub-site identifier: e.g., {{samp|example.com}}, or {{samp|example.edu/chessclub}} – a (sub-)site-specific public/private key pair. It signs the transaction tokens with the private key and gives the public key to the site, so it can verify the encrypted data.

There are no "shared secrets" which a compromise of the site could expose to allow attacks on accounts at other sites. The only thing a successful attacker could get, the public key, would be limited to verifying signatures that are only used at the same site. Even though the user unlocks the master key with a single password, it never leaves the SQRL client; the individual sites do not receive any information from the SQRL process that could be used at any other site.

A number of proof-of-concept implementations have been made for various platforms.

• C# .NET{{cite web |date=April 9, 2020 |title=jestin/SqrlNet |url=https://github.com/jestin/SqrlNet |access-date=2025-06-03 |via=GitHub}}{{cite web |date=November 1, 2020 |title=TechLiam/SQRL-For-Dot-Net-Standard |url=https://github.com/TechLiam/SQRL-For-Dot-Net-Standard |access-date=2025-06-03 |via=GitHub}}
• Drupal{{cite web |date=October 4, 2013 |title=Secure QR Login |url=https://www.drupal.org/project/sqrl |access-date=2025-06-03 |website=Drupal.org}}
• Go{{Citation |last=Loader |first=Ryan |title=SQRL |date=2021-04-29 |url=https://github.com/RaniSputnik/sqrl-go |access-date=2022-10-30}}
• PHP{{cite web |date=January 9, 2021 |title=trianglman/sqrl |url=https://github.com/trianglman/sqrl |website=2025-06-03 |via=GitHub}}
• Python{{Citation |last=Pinkney |first=Brian |title=pySQRL |date=2022-06-15 |url=https://github.com/bushxnyc/sqrl |access-date=2022-10-30}}
• WordPress{{Cite web |last=Persson |first=Daniël |title=SQRL Login – WordPress plugin |url=https://wordpress.org/plugins/sqrl-login/ |access-date=2025-06-03 |website=WordPress.org}}

• Android{{cite web |date=January 25, 2021 |title=geir54/android-sqrl |url=https://github.com/geir54/android-sqrl |website=2025-06-03 |via=GitHub}}{{cite web |title=SQRL implementations on Android and it works! |first=Paul |last=Sylvester |date=December 25, 2014 |work=Paul's Tech Talk |url= https://www.paulstechtalk.com/2014/12/sqrl-implementations-on-android-and-it-works/ |url-status=dead |archive-url= https://web.archive.org/web/20150402132412/https://www.paulstechtalk.com/2014/12/sqrl-implementations-on-android-and-it-works/ |archive-date=April 2, 2015 |access-date=March 17, 2015}}{{Cite web |title=SQRL on Google Play |url=https://me-qr.com/qr-code-generator/text |url-status=dead |archive-url=https://archive.ph/YivWn |archive-date=2015-03-17 |access-date=2015-03-17 |website=Google Play}}
• C# .NET
• iOS{{Citation |last=Stidard |first=James |title=Stash iOS |date=2022-06-22 |url=https://github.com/jamesstidard/Stash-iOS |access-date=2022-10-30}}
• Java{{cite web|url=https://github.com/TheBigS/SQRL|archiveurl=https://archive.today/20150317214235/https://github.com/TheBigS/SQRL|archive-date=2015-03-17|title=TheBigS/SQRL · GitHub|website=GitHub |access-date=2015-03-17|url-status=live}}
• Python{{cite web |date=September 2, 2020 |title=bushxnyc/sqrl |url=https://github.com/bushxnyc/sqrl |access-date=2025-06-03 |website= |via=GitHub}}
• Rust

• Firefox{{Cite web |title=SQRL – Get this Extension for 🦊 Firefox (en-US) |url=https://addons.mozilla.org/en-US/firefox/addon/sqrl/ |access-date=2022-10-30 |website=addons.mozilla.org |language=en-US}}

There are also various server-end test and debugging sites available.{{cite web |title=GRC {{pipe}} SQRL Secure Quick Reliable Login Demonstration |url=https://www.grc.com/sqrl/demo.htm |access-date=2025-06-03 |website=www.grc.com}}{{cite web |title=GRC {{pipe}} SQRL Secure Quick Reliable Login Diagnostic |url=https://www.grc.com/sqrl/diag.htm |access-date=2025-06-03 |website=www.grc.com}}

{{primary sources|section|date=August 2019}}

Steve Gibson states that SQRL is "open and free, as it should be", and that the solution is "unencumbered by patents". After SQRL brought a lot of attention to QR-code-based authentication mechanisms, the suggested protocol was said by blogger Michael Beiter to have been patented earlier and thus not generally available for royalty-free use.{{cite web |url= http://www.michael.beiter.org/2013/10/04/steve-gibsons-sqrl-is-not-really-new/ |title=Steve Gibson's SQRL Is Not Really New |first=Michael |last=Beiter |date=October 4, 2013 |access-date=May 12, 2014}}{{primary source inline|date=March 2021|reason=Why do we think this blogger passes WP:BLOG? Must be a recognized subject-matter expert, not some random schmoe, and we have no Michael Beiter article, so this is dubious. This entire paragraph about patent stuff may be non-encyclopedic noise.}} The patent in question (not expiring until 2030) was applied for by and granted to Spanish company GMV Soluciones Globales Internet SA (a division of the Madrid-based technology and aerospace corporation GMV Innovating Solutions), between 2008 and 2012 by the patent offices of the United States, the European Union, Spain, and Portugal.{{cite patent |title=Method and system for authenticating a user by means of a mobile device |country=US |number=8261089 |status=patent |assign1=GMV Soluciones Globales Internet SA |invent1=Leon Cobos, Juan Jesús |invent2=Celis de la Hoz, Pedro |gdate=September 4, 2012 |fdate=September 17, 2009 |pridate=September 17, 2009}}

Gibson responded: "What those guys are doing as described in that patent is completely different from the way SQRL operates, so there would be no conflict between SQRL and their patent. Superficially, anything that uses a 2D code for authentication seems 'similar' ... and superficially all such solutions are. But the details matter, and the way SQRL operates is entirely different in the details."{{cite web |first=Steve |last=Gibson |author-link=Steve Gibson (programmer) |title=Other Work Related to QR Code Login |url= https://www.grc.com/sqrl/other.htm |date=2020 |work=GRC.com |publisher=Gibson Research Corporation |access-date=22 September 2015}}

{{div col|colwidth=30em}}

• WebAuthn
• BrowserID
• Central Authentication Service
• Information Card
• Light-weight Identity
• OAuth
• OpenID Connect
• Single sign-on
• WebID
• FIDO Alliance

{{div col end}}

{{Reflist}}

• [https://www.grc.com/sqrl/sqrl.htm SQRL homepage] at GRC.com
• {{cite web |title=How SQRL may improve the website login and authentication process |first=Martin |last=Brinkmann |date=October 9, 2013 |work=GHacks.net |url= http://www.ghacks.net/2013/10/09/sqrl-may-improve-website-login-authentication-process/ |access-date=March 7, 2021}}
• {{cite web |title=SQRL: A new method of authentication with QR codes |first=Patrick |last=Lambert |date=2013 |work=Tech Republic |url= http://www.techrepublic.com/blog/it-security/sqrl-a-new-method-of-authentication-with-qr-codes/ |access-date=March 7, 2021}}
• {{cite web |title=Authentication Without Passwords Implementing SQRL |first=Daniel |last=Holmlund |date=January 3, 2014 |work=2014 HTML5 Developer Developer Conference |publisher=Silicon Valley International Game Developers Association |url= https://www.youtube.com/watch?v=WHFaiUc7Qwk&index=71&list=PLAIXSzgkhDs63Re9ir_drprptDpVzVcGW |via=YouTube |access-date=March 8, 2021}}

Category:Access control software

Category:Password authentication

Category:Barcodes

Category:Upcoming software

Category:Public-domain software with source code