Time to say goodbye to usernames and passwords for website authentication

We have to admit that our current model of using usernames and passwords for website authentication is utterly broken. It may have been fine back in the days of mainframes when users would have one account to remember but it just does not scale (safely at least) in the current day when the average user probably has tens (if not hundreds) of usernames and passwords to remember.

What do most users do in the face of the ever increasing number of websites that require authentication? They start reusing information – in particular passwords. We should all know that this is a bad idea. The best practice in this area is to have separate and strong passwords for each website account used … but how many people actually do that?

Before we put all the blame on users let’s not forget the websites themselves which are not doing a good job at all protecting all this authentication data. The best practice there would be to properly hash a user’s password in a way that even brute force attacks against that data would not be very successful … but we know that’s not happening. It seems that not a month goes by without some news story informing us that large numbers of user accounts from some website just got dumped online … and passwords were either poorly hashed or not hashed at all (simply stored in plaintext).

Other authentication models exist where some third-party is used to consolidate user accounts and allow users to logon to websites using credentials from that third-party (think OpenID, Facebook, Twitter, Google and so on). The problem with all these is the third-party: can it be trusted? will it protect our information and privacy? do we really want some corporate third-party knowing all the sites we visit simply because those sites rely on its authentication methods?

What we need is a modern authentication system that’s cryptographically secure, easy to use and preferably two-party (involving just the user and the website the user wants to visit).

Enter SQRL – Secure Quick Reliable Login (also see the Wikipedia page). The protocol typically uses a QR code, which provides authentication, where a user identifies anonymously rather than providing a user ID and password. SQRL is the brainchild of Steve Gibson – the host of the long-running and well-respected Security Now podcast. Steve has a lot of information about it at this location – https://www.grc.com/sqrl/sqrl.htm. He also recently did a presentation on SQRL at the DigiCert Security Summit 2014:

We need to start moving in this direction for website authentication because what we have right now is simply not working.

2 thoughts on “Time to say goodbye to usernames and passwords for website authentication

  1. Please note that SQRL is not exclusively for use by phones and does not require the use of QR codes. Implementations (including Steve Gibson’s reference implementation) can be desktop applicatoins or browser plugins.

    Furthermore, the SQRL spec allows the user to back up a copy of the pivate key by printing it in QR code. This method could be used to transfer an existing identity between phones or computers.

Leave a Comment