Other Work Related to
QR Code Login
The appearance of this SQRL proposal has generated a tremendous amount of interest, including many reports of superficially similar and/or related previous work. And, so far, that's exactly what they are: superficially similar and related. Uninformed people erroneously assume that anything that involves a QR code is the same as anything else.
This SQRL proposal is generating such a high level of interest specifically because it is so clearly different from, and much more elegant than, every other scheme we're aware of. This page catalogs everything we have encountered, with brief comments where applicable.
- Adam Howard's Bournemouth University Bachelor's degree dissertation (locally cached PDF).
- Google briefly experimented with QR code login.
As I mentioned during the original SQRL Security Now! podcast, I discovered this experiment after the SQRL concept first occurred to me and I wanted to see whether others had used QR codes to login. From what (little) I have been able to learn, it appeared that when scanning a Google login page, the login form would “leap” over to the user's smartphone. What more it might have done is unknown.
- Google filed for a patent with the title: “Login Using QR Code”.
Fortunately, their “invention” (of existing public domain technology) appears to be nothing more than the typical three-party “federated identify management” model, where a 3rd-party “identity provider” arbitrates the establishment of transactional trust (and perhaps attribute attestation) between the user and a “relying party”.
- SURFnet has something called tiQr (pronounced “ticker”).
It superficially appears to offer a user experience similar to SQRL. However, as is every other such system, what's going on is actually far more complex and involves/requires establishing “shared secret” account credentials with the authenticating website. As they explain on their technical page, TiQr is based on the OATH (open authentication) OCRA protocol suite, which was standardized by RFC6287.
- eKaay - Smart Login
Their “About us” page explains that: “The concept for eKaay Smart Login was developed in 2009 within an IT security project at the CS Dept. of the Univ. of Tübingen and turned into software since 2010 by students and programmmers. A spin-off company was founded in 2011 which offers the method and its software to web portals. First customers are live with ekaay Smart Login since end of 2012.” There is no additional documentation available, though some examples of QR code portal login can be found on their References page.
- QRAuth
Though no protocol description or documentation is visible on their web site, this appears to be a facility involving QRAuth's third-party servers where website login credential information, stored on the user's smartphone, can populate a web browser's login fields. A plug-in installed in the target browser presumably displays a high-density QR code provided on demand by the QRAuth servers. This QR code is scanned by the phone and sent along with the site's login credentials through the phone's link to the the QRAuth servers. The browser plug-in, which must also be connected to the QRAuth servers, then receives the login credentials and logs the user into the site.
- Clef does not use QR codes . . . but it is entertaining.
It appears to use their own whacky system of animated bouncing vertical lines. And they do say: “Clef uses 2048-bit RSA asymmetric keys and state of the art PKCS-5 encryption.”, so I guess that's comforting. Though because their system appears to be proprietary, and they do not disclose anything about their security protocol, no one has any way of evaluating their security. And they do have a “deactivate your lost phone” page, so we know that their system is three-party, not just two.
- Live Ensure appears to be yet another three-party QR code authentication system. Users download the free iOS, Android, or Windows Phone app. Site developers “sign up and obtain LiveEnsure API keys” then merge LiveEnsure code with the site's login form. The web site then calls LiveEnsure's API whenever a user logs in, receives a QR code to display to the user (perhaps a link to the QR code hosted by LiveEnsure?) Presents the user with a QR code, and polls for the status.
- QRP: An improved secure authentication method using QR codes (locally cached PDF)
This is a two-party solution, though it involves the more typical “create an account and both sides know about the other in advance” style authentication. Then the server generates a challenge presented by the QR code, and the phone either uses an Internet connection to reply, or generates 6-digit PIN derived from the server's encrypted challenge.
- “Method and system for authenticating a user by means of a mobile device” I'm sure this (patented) mobile device authentication system is nice, but one glance at the accompanying diagram is enough to tell you that it bears no resemblance to GRC's proposed SQRL solution.
- “Onescan” by Ensygnia: Appears to be PayPal with QR codes (not a login system). A typical three-party solution where the user establishes an account with Ensygnia, providing them with confidential purchasing information. Then websites sign up with Ensygnia to offer "Onescan Checkout." Users use their smartphone to scan the website's QR codes, the app communicates with Ensygnia, and Ensygnia communicates with the website. The only sad part about this is that two patents were granted. Fights to follow, since PayPal will soon offer QR code payments. (Engadget)