undefined | Better HN

0 pointsrichardjs12y ago0 comments

It's not really a password manager--there's no shared secrets. The site identifies you by a public key. For authentication, it gives you a nonce, and you sign it with the corresponding private key. All the secrets are kept on your device.

I've wondered about the "something I know" dimension as well. Perhaps a passphrase could be used (it already is used to secure the master key). It'd still be a major improvement, as only your local device would need it, and you wouldn't have to have a separate password for each site.

0 comments

3 comments · 2 top-level

elliottcarlson12y ago· 1 in thread

Right; I guess password manager was a bit of an over simplification there - sorry about that, as was the fingerprint analogy - I guess it's more a concern of someone having my phone and thus instant access. An additional factor would help with that by bringing in the "something I know" dimension.

richardjsOP12y ago

Yeah, that's a concern of mine too. Looking deeper at the description, looks like he describes a passphrase-like "local password" on the "The user's view of the application" page [1]. Hopefully that would address that issue (at least as much as passphrases do for SSH keys).

(And no problem. If we were forced to comment using only precise terms, with no simplifications, comments would either be ridiculously long or nonexistent.)

[1] https://www.grc.com/sqrl/userview.htm

nly12y ago

SQRL doesn't require a password for each site. The password protects the master key, which is reconstructed before the site-specific key is derived.

j / k navigate · click thread line to collapse