
Microsoft joins FIDO group to replace passwords with public key cryptography - yeukhon
http://arstechnica.com/security/2013/12/microsoft-joins-fido-group-hoping-to-replace-passwords-with-public-key-cryptography
======
salient
I don't know how much they overlap, but Steve Gibson was saying recently in
one of this latest Security Now podcasts that what FIDO is trying to do is
inferior to his recently launched SQRL protocol. He starts talking about it at
0:56:

[http://twit.tv/show/security-now/435](http://twit.tv/show/security-now/435)

He says the FIDO spec is overdesigned, and everyone there has their own
interests, it's tied to certain technologies, and it's not free. SQRL on the
other hand generates the keys on the fly instead of storing them on the phone
for each website. If a hacker steals your identity, you can also get it back
with SQRL - you can't with FIDO. He says SQRL is also much easier to
implement.

[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

[http://www.sqrl.pl/](http://www.sqrl.pl/) (fan-made)

Also, an interesting excerpt from Wikipedia, referring to when he announced
the protocol for the first time:

> Within 2 days of the airing of this podcast, both the W3C and Google
> expressed interest in working on the standard.[2]

[http://en.wikipedia.org/wiki/SQRL](http://en.wikipedia.org/wiki/SQRL)

~~~
hamburglar
"Steve Gibson was saying recently in one of this latest Security Now podcasts
that what FIDO is trying to do is inferior to his recently launched SQRL
protocol"

Of course he was. He's Steve Gibson. He's a shameless self-promoter and he
loves to make over-dramatic claims of finding security flaws in things.

His only saving grace is that SQRL actually looks pretty sound to my
moderately-better-than-amateur security experience. I hate to admit it,
because if it catches on as a standard, he's only going to become more
insufferable. The guy is a kook, except he's a kook who maybe have actually
done his homework this time. I'd still like to hear what some actual security
researchers have to say about SQRL, because I'm sure as hell not going to take
his word on it.

~~~
ay
+1 on all counts. I went to Wikipedia page and looks like it was written if
not by him then by his fans - it does not contain a half decent description of
the protocol. Just some propaganda-like fluff.

I admit "squirrel" does sound cool. But how is it different from any other
challenge-response algorithm escapes me.

~~~
guard-of-terra
For example it might become different from other algorithms because it will be
working and solving users' problems instead of just existing in abstract
algorithm-land?

------
BadassFractal
Someone needs to come up with a safe and VERY convenient way to keep one's
private keys around. I haven't found a convenient way yet, even a USB key is
going to be a hassle for most non-techies.

~~~
vyrotek
How about a ring?

[http://www.wired.com/wiredenterprise/2013/01/google-
password...](http://www.wired.com/wiredenterprise/2013/01/google-password/)

~~~
pdkl95
[http://www.javaworld.com/article/2076641/learn-java/an-
intro...](http://www.javaworld.com/article/2076641/learn-java/an-introduction-
to-the-java-ring.html)

How about this version from over a decade ago? Regardless of what you get to
run inside it (we can substitute lots of stuff for the JVM used here), the
form/style of it is simple and fits with habits that people already have.

The right is nice, too, in that it's harder to accidentally leave someplace,
yet CAN be removed if absolutely needed. (unlike some biometrics, where
"mugging you and taking your wallet/keys/pubkey-ring" can turn into "mugging
you and taking your _finger_ ".

------
jbuzbee
Remember Microsoft's mantra: Embrace, Extend, Extinguish...

