#sqrl enemy pix
Today* in Hawks*** around Town...
#sqrl
@lwinkler @kuketzblog Hier ein auf der technischen und rechtlichen Seite relevanter Beitrag zu dem Thema: https://security.stackexchange.com/questions/226256/is-there-a-standard-for-otps-tied-to-transaction-details-that-has-been-implemen
Folglich waere wohl die Frage, ob/wann Banken #sqrl oder #webauthn fuer #psd2 entdecken.
@timbray This is why I like #SQRL
https://en.wikipedia.org/wiki/SQRL better.
Sure, instead, of using a standard protocol, he used a custom one so he didn't have to trust browser manufacturers not to trash the extension API to lock out non proprietary implementations, or standard web service library implementations not to have security flaws that undermine the whole thing. I thought it was a poor choice at first becase it would be harder to implement, but now, it seems prescient.
@btaroli it's at times like this that edits to squeeze a post into 500 characters can cause problems.
The limitation in #SQRL that I was referring to was that it defaults to a single secret key per identity, and that it is painful to have many identities, but that detail was hard to fit in ๐คทโโ๏ธ
@btaroli I agree that #SQRL has a lot of potential.
I am not as keen on the fact that it uses a single private key as the basis for everything and that it has a full custom protocol rather than a simple REST API, but these are not fatal flaws.
Whereas #Passkeys attestation feature seems like a recipe for abuse, allowing incumbents to insist on proprietary platforms. The lack of ability to transfer keys between major platforms in something that is supposed to be interopretable is disturbing.
I wonder how hard it'd be to get SQRL to load rules from a database? Currently it seems to be all based around filesystems and pre-compiled files.
I guess this makes sense in systems where you track all the changes in git and automatically deploy the service, but I'm not sure that's suitable for all environments?
@arstechnica so this is more about the Google Authenticator specific synching mechanism as a #security risk than any inherent #TOTP problem.
I get why there's a reference to #FIDO2, but I'd much rather use #SQRL than something that locks users to a specific, (probably) untrustworthy, provider.
We as a society need to have a conversation about passwords, and the urgent task of LEAVING THEM BEHIND.
They are barbarous relics of a bygone age. We have better technology. Free/libre, #opensource, peer-reviewed and community-beloved: #SQRL https://en.wikipedia.org/wiki/SQRL
The only problem is, #GAFAM doesn't like the fact that it makes #surveillance harder.
Making headway. Couple days turned into a week. How'd that happen.
Oh right, maybe the scrapping-everything-several-times had a part in that.
But another couple days and we'll have a teaser, SURELY.
Starting a "video-game" "project". Here's a still that I'll be animating the next couple days for a little teaser sort of thing.
After that I'll be diving in Unity and either sink or swim :)
Security folks - is there a reason https://en.wikipedia.org/wiki/SQRL?wprov=sfti1 isnt more widely considered by companies? Why keep using username / password methodology which we know will fail and on top we force users to rotate BECAUSE we know it fails. #lastpass #sqrl. We eventually switched to https why not tack on a better authentication experienceโฆ
@sweis from what I've heard on SecurityNow, there it's a HUGE drawback... dependency on a provider and they are non interoperable. Sure there's a standard, but you can't move your account, so you're locked into either Apple or Google, or worse, both at the same time and you have to trust them.
As odd a duck as #SQRL is, it sounds like a much better system and what FIDO was originally trying to be, when they gave up on forcing the use of physical tokens.
Cc: @leo
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst