Secure (QR) Login - SQRL

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

Re: Secure (QR) Login - SQRL

Postby archer53x » Wed Oct 23, 2013 12:40 pm

Yes, if SQRL becomes a standard there will be a need for master key management and will still be a need for usernames/passwords management, even if only as legacy support.
archer53x
 
Posts: 10
Joined: Sat Jun 01, 2013 4:12 pm

Re: Secure (QR) Login - SQRL

Postby mrojas690 » Wed Dec 11, 2013 1:37 pm

juliohm830 Wrote:I suggested a thread on their forum, and one interesting idea came up. Maybe in the future LastPass could become a SQRL client app itself. It could manage your SQRL master key and fall back to traditional usernames/passwords for sites that do not support it.


I agree and mostly understanding how LastPass works I would feel safe using lastpass as my SQRL app while kepping the password and 2nd factor to log in to last pass. Also by having lastpass keep a copy of my master key for SQRL. Also I would be willing to pay a little extra to make sure that this feature is implemented sooner.
mrojas690
 
Posts: 3
Joined: Mon Dec 09, 2013 4:54 pm

Re: Secure (QR) Login - SQRL

Postby smith » Thu Dec 19, 2013 4:50 pm

Me, too! Adding SQRL app support to LastPass keeps all my stuff in one place (and one that I trust). It also helps expose SQRL to many more people and will help drive demand for web sites to support it.
smith
 
Posts: 2
Joined: Thu Dec 19, 2013 4:45 pm

Re: Secure (QR) Login - SQRL

Postby securityfan » Thu Mar 26, 2015 10:32 am

I'm surprised there's not more dialog on this topic. I love the idea of SQRL as explained by Steve Gibson. According to the SecurityNow! podcast there are a good number of individuals working on developing SQRL clients both for the browser and for mobile devices. Websites that begin implementing this sign-in option will require me to have a SQRL client. That client will necessarily sit alongside my LastPass client, which I'll continue using for all those sites that don't support SQRL.

The code is all out there. Why would LastPass not want to simply add the SQRL capability into their product? It could be an optional thing for users who don't want it but for those of us who do, we can adopt SQRL without installing a new app, assuming LastPass people can pull it off ... which if they can't I don't know why I trust them the way I already do...

LastPass--what's the story here? Interested or not? SQRL + Passwords keeps you in the same game you're in. No SQRL means a gradual migration out of the LastPass environment for those sites that decide to adopt it. If LastPass sees something wrong with SQRL, please enter the dialog with Gibson because right now it appears to be a really solid solution that solves the same problem you solve today, in a better way.
securityfan
 
Posts: 1
Joined: Thu Mar 26, 2015 10:23 am

Re: Secure (QR) Login - SQRL

Postby zingplex » Tue Apr 14, 2015 2:54 pm

I would be surprised to see LastPass adopt this because in its adoption, it is threatening thee business model. Also, I think the SQRL spec is done and now Steve is just writing an implementation in assembly.
zingplex
 
Posts: 6
Joined: Thu Jan 15, 2015 9:16 pm

Re: Secure (QR) Login - SQRL

Postby pawnshop73 » Wed Jun 01, 2016 2:51 am

I would say that SQRL would "threaten" their business model whether they implement it or not.... Cause if other sites are using it, it might become easier to use SQRL instead of Lastpass... HOWEVER (and there's always a "however") I would love to not have to dig out the 32 character password anytime that I need to re-login to Lastpass. If they actually added the ability for the Lastpass plugins to act as a SQRL client on top of that, well, that would be icing on the cake as far as I am concerned. Because Lastpass could allow you to share a SQRL login with your spouse allowing you both to login to your bank account (assuming that the bank implements SQRL before they figure out that maybe it would be better to give everyone their own user account and then grant access to bank account info based on user account, instead of having a SINGLE account that can access a bank account and requiring you to log out and log back in to view a second account... GRRR! ARGH! ... Sorry, I may have let my frustrations lead me into a mini-rant there.).

+1 for the idea of implementing SQRL as a way to login to LastPass.
+1 for the idea of enabling LastPass plugins to act as SQRL clients.
pawnshop73
 
Posts: 1
Joined: Wed Jun 01, 2016 2:41 am

Re: Secure (QR) Login - SQRL

Postby Twi2 » Thu Apr 27, 2017 10:06 am

zingplex Wrote:I would be surprised to see LastPass adopt this because in its adoption, it is threatening thee business model. Also, I think the SQRL spec is done and now Steve is just writing an implementation in assembly.


I do not see SQRL as a threat to the LastPass business model. First, many sites are going to stick with usernames and passwords in spite of the hassle and the lowered security, simply because that is how they have worked for decades. Secondly, LastPass stores far more than just usernames and passwords. LastPass can hold almost anything that needs to be stored securely, like credit card numbers, answers to security questions, safe combinations, and far more. I've even used LastPass to securely exchange documentation for a mortgage. Even if all the websites I use started using SQRL, I would still need LastPass for storing all the other information I need to keep securely.

SQRL would be a superb addition to LastPass authentication. It would improve LastPass security without requiring users to purchase hardware to support second factor authentication. (yes, it could threaten Yubikey's business model, but that's a different story). Incorporating SQRL's user unique cryptographic into the processing used to create the actual LastPass master key would dramatically increase the entropy of the master key, and that would be great. SQRL's approach would allow a user to have a very secure login while enabling them to enter a very short key. One real hassle with secure use of LastPass is that the user's password needs to be long as well as hard to guess, and typing a long password repeatedly is certainly a pain. Using SQRL could eliminate that pain without reducing security.

It would be relatively easy to include SQRL as a user-selected optional second factor authenticator, much like Google Authenticator.
Twi2
 
Posts: 1
Joined: Tue Jul 22, 2014 4:01 pm

Re: Secure (QR) Login - SQRL

Postby jonat » Thu Apr 27, 2017 4:01 pm

It has been 2-1/2 years since SQRL was proposed. I have not see a single site pick it up.
jonat
 
Posts: 2195
Joined: Thu Dec 09, 2010 8:42 pm

Re: Secure (QR) Login - SQRL

Postby builder66 » Thu Nov 22, 2018 8:15 am

Seems like Steve Gibson is still actively working on this standard and based on a recent pod cast over on twit.tv (Security Now Episode 690) - he may be getting very close to completion. So I thought now would be a good time to weigh in on the argument supporting a SQRL client implemented in LastPass.

I would concur with the post from Twi2 back in April of last year that SQRL is NOT a threat to LastPass's business model for all the reasons stated. I trust LastPass to keep all my most important personal data and to help manage my identity. Its value to me is providing solutions to help keep my data and identity secure and now, almost secondarily keeps my login passwords as well.

Implementation of a SQRL client within LastPass would help lay the groundwork for a future secure on-line identity system that has the real possibility of someday moving us beyond username and passwords. Steve Gibson has already done the heavy lift by developing the standards, reference client and server implementations, so all of the details have been worked out over the passed few years. This means there would be very little effort and risk for LastPass to implement the client.

LastPass is uniquely positioned and would probably benefit greatly from their support and advocacy of the SQRL standard. Replacing username and passwords does not replace the need to manage your identity and Lastpass could play a key roll in this transition to a much more secure and reliable on-line economy. THIS is the real value to me!

SQRL portends a day when usernames and passwords are obsolete and NOT needed - well except for ONE - Your LastPass master username and password!
builder66
 
Posts: 4
Joined: Thu Nov 22, 2018 7:08 am

SQRL Client

Postby builder66 » Thu Jun 13, 2019 6:58 pm

Implement Steve Gibson's SQRL client. Please see https://www.grc.com/sqrl.htm
builder66
 
Posts: 4
Joined: Thu Nov 22, 2018 7:08 am

PreviousNext

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 17 guests