SQRL’s Fatal Flaws

Steve Gibson‘s SQRL authentication has two fatal flaws: future identities are too easily compromised and using it with multiple devices becomes more difficult over time. Since it relies on derived keys to generate each identity a single, compromised identity-unlock-key (IUK) puts all past and future secrets at risk. At least until one knows it has leaked.

SQRL tries to mitigate this derivation weakness by its ‘rekeying’ feature. Though that rekeying requires updating the identity file on all devices that need it as well as revisiting all previously used services. One must go through the rekeying and revisiting process any time ones IUK is compromised.

Such rekeying doesn’t help when one doesn’t know the IUK has been compromised. Meaning attackers with the key could create an identity before a user has tried. Then when the real user signs into their ‘new’ identity the attacker also has access, they may even have primed the account with weaker privacy settings.

Password Vaults have a similar weakness which could expose all past secrets, but no future ones. And since there is typically a different (random) password for each service the size of the data an attacker needs to extract is often larger. Bigger payloads are usually more difficult to exfiltrate completely and are more likely to be noticed.

As far as I can tell there doesn’t seem to be a solution to these fundamental issues with SQRL. But I’d love to be proven wrong. So if this assessment has any inaccuracies or you have thoughts to share then please leave a comment.

UPDATE: Full disclosure, I created a premium plugin for the KeePass Password Safe.