What is SQRL?
Over a year in the making, SQRL was designed from the ground up to be a secure replacement for passwords.
- Trust No One (TNO) -- SQRL connects directly to the site you're logging in to. There are no middle-men to fail at inopportune times or track your activity.
- Proven Crypto -- SQRL uses proven cryptographic techniques to make your SQRL ID nearly impossible to hack.
- Anonymity -- Each site receives a separate identity token. If a site gets hacked, your token is meaningless to other sites, minimizing your risk.
Your SQRL ID lives on your computer and smart phone, staying out of your way until you need it. When you need to log in to a SQRL-enabled website, simply click or scan the QR code.
No more forgotten passwords! SQRL is just there when you need it. If something ever goes wrong, use the built in Rescue Code to restore your SQRL ID.
- Was your phone stolen, or your computer hacked? Your SQRL ID is cryptographically protected, making it nearly impossible for the bad guy to use.
- Still worried? You can replace your SQRL ID and lock the attacker out of your accounts.
- Got a new phone or computer? Easily transfer your SQRL ID to your new device, and continue using it. SQRL IDs were designed to be used for life.
SQRL replaces per-site passwords and other authentication mechanisms, allowing you to easily log in to any supported site.
Passwords are Broken
Passwords have been around approximately forever, in internet years. They tell a computer that you actually are who you say you are, since (theoretically) no one but you knows your password. That worked out OK back when the average user only had access to a single computer. It's not too hard to remember one password, but now we visit dozens of websites, and each one needs a strong, unique password. Our minds just aren't able to cope with that many passwords, so we cheat. Most of us use passwords that are easy to guess, and use the same password at many sites. If an attacker can steal your password from just one site, or simply guess it, he can gain access to your entire identity.
It's obvious that we need a better way to authenticate to all these websites, and there are many companies out there trying to come up with a better way. But those companies all want you to rely on them for authentication. The scheme typically goes something like this: Every time you log in to a site, that site sends your computer to a third party, say Google, who verifies your identity and tells the original site that you're OK. That can lead to some serious problems:
- If the third party (Google, in the example) ever goes down, then every site that uses their authentication service also goes down.
- The third party necessarily knows who you are and every website that you visit. They can and will collect this information and use it however they please. How many of us actually read those "Terms of Service," anyway?
SQRL is the answer!
In truth, the right answer hasn't been decided yet (there are competing technologies being developed). SQRL ID provides an authentication solution where you control your own identity; you decide what to share with who. Here's how we're different:
- SQRL never shares your ID or personal information with any third party. When you use SQRL to log in to a website, the SQRL client communicates directly with that website, and no one else. Your SQRL ID doesn't even contain any personal information; you choose which sites to give that to.
- SQRL is simple and open, by design. The protocol specification and source code is open to anyone who wishes to review it. This way, you don't have to take our word for it; many security professionals will be reviewing SQRL, and any problems will be found and fixed. There will be competing clients, so you'll have a choice of which software to use.
- You are in control of your SQRL ID. It lives on your computer and smart phone. If it's ever lost or stolen, we provide simple tools you can use to recover your ID and prevent others from using it.