Talk:SQRL

Computing Start‑class Low‑importance

This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles Start This article has been rated as Start-class on Wikipedia's content assessment scale. Low This article has been rated as Low-importance on the project's importance scale.

Hi, this is my first new article. There is scope for several bullet points between "Motivation" and "Example use case" for more information about the workings of the protocol.Dagelf (talk) 13:09, 15 October 2013 (UTC)[reply]

Hello, and thanks. Better yet would be to use English prose instead of bullet points. This is supposed to be an encyclopedia, not a promotional brochure. Also please to give context and specific dates for things. For example, calling it a "standard" seems a bit presumptuous. Which official international standards body has published it? If none, then just say it is a "technology" promoted by XXX<ref>{{Cite ...}}</ref> W Nowicki (talk) 00:30, 17 November 2013 (UTC)[reply]

This was added to the article:

Much like the more conventional username-and-password solution, SQRL authentication is potentially vulnerable to a Man-in-the-middle attack (aka "phishing"). Unlike usernames and passwords, SQRL limits the scope of the breach insomuch as the attacker only gains one authenticated session, rather than an unlimited number of future sessions and furthermore removes the possibility for the attacker to change the password (effectively locking out the user indefinitely).

This seems to be based on old information and doesn't adequately describe the phishing protections it does have, unlike other authentication methods. https://www.grc.com/sqrl/phishing.htm A limitation is to suggest other methods can do this, but this one can't. So, I don't think this opinion shouldn't be presented as a section title. It would be more appropriate to call the phishing protections an advantage over every other authentication method. Morphh ^(talk) 22:20, 3 November 2013 (UTC)[reply]

Can you please specify which part you think is based on old information, and how, exactly, "limitations" might imply it is "inferior" to another authentication mechanism, rather than simply having a "limit" to it's goodness? Even global acceptance of SQRL would not negate phishing attacks, they would just become different & more elaborate (e.g. an attacker could say "our click-to-login system is down, please scan with your mobile device to login") it is important that people understand the limitations of the system. --Osndok (talk) 16:33, 4 November 2013 (UTC)[reply]

It seemed to be based on information released prior to the new phishing protections added, since it didn't mention the same ip policy which would only make this attack effective when using cross device authentication. With the term "limitations", I think the larger issue was the heading where just mentioning such in prose would be more acceptable. As such, section headers must follow WP:STRUCTURE are reserved for major areas of the article. So perhaps a section on "Security protections", then a sub-section on "Phishing" with a couple sentences that discuss the limits. I don't want to exclude the material, but it has to be placed in relative context, give weight to the protections it offers, and be careful not to get into WP:SPECULATION. The fact that it offers any protection to phishing is major point, which should be the focus of any such section. Morphh ^(talk) 17:23, 4 November 2013 (UTC)[reply]

I'm not seeing any clear indication that this is notable yet. Doing a bit of searching, I'm seeing basically no mainstream coverage of this, there are many claims in here about the security of this method which are not substantiated by anything except the claims of the original author of the protocol. There's also a fair amount of WP:SYNTH in the actual writeup. I'm going to proactively remove this particularly egregious segment:

The development of the protocol is an example of the marketplace of ideas on the Internet. There has been QR code based login and authentication experimentation previously, but the openness and simplicity of this specific implementation, as well as the size of the listenership of the podcast, has created the necessary gravity for the computer security community to move to adopt the protocol.[3][4][5][6][7][8][9][10]

Nothing of the sort is claimed in ANY of the references. References 3-10 are just other examples of QR-code based login.

In any case, I think this article doesn't meet the Notability requirements, so I suggest that if there's any useful content here, it be merged into Gibson's page and possibly QR code. For now I'm tagging this with notability rather than AfD, because I think we can probably handle this as a merge into Gibson's page rather than deletion. 0x0077BE [^talk/_contrib] 17:04, 22 July 2014 (UTC)[reply]

I've added a little to the page, but it does still need more work. peterl (talk) 23:05, 22 July 2014 (UTC)[reply]

The additional references help the article quality, but none of them actually establish notability, as they are all forum and blog posts - and they're all from immediately after the initial announcement (no sustained coverage). I think a merge to QR Codes or Gibson's article is appropriate.0x0077BE [^talk/_contrib] 04:48, 23 July 2014 (UTC)[reply]