What I Believe
I believe that Discourse is already throwing away many standardized conventions already in the name of evolution of communication and related technology. Moving to something where privacy, security reliability and simplicity is inherent like SQRL seems like the "perfect match".
SQRL a Better Authentication Method.
I am suggesting adding an alternative method which could be merged into the login/registry screen.
The websites I'll link for your own study and consideration are sqrl.pl and grc.com both have valid and powerful explanations of this technology. Basically for those of you who don't like clicking foreign links without a short pitch. Heres the idea of how SQRL works.
The problem
When you first show up to a website you're usually presented with a register/login page which requires that you punch in a bunch of personal information before you can register. The way that this usually works is that you have a Username or Email and a password. This is all find and dandy but we all know that it can be tough to host and effectively secure authentication credentials against attack and exploitation.
This relies on the fact that you manage the length and complexity of your passwords and usernames. Otherwise it relies on hopes and dreams to essentially stay under the radar from robots attempting to farm and exploit your accounts.
Some Duct Tape (TwoFactorAuth/MultiFactorAuth)
To combat insecurity issues with brute forcing and dictionary attacks we've come up with a new magical solution called Two Factor Authentication or Multi Factor Authentication where you use some randomly generated OTP (One Time Password) as well as your main password. This gets arduous and frustrating when you have 30 seconds to type in a password before it expires. Or you have to wait for an SMS to be sent to your mobile device reliably.
The Many Issues With MFA/TFA as a Bandage Solution
You now have the issue of always keeping track of not only your Username/Email and Password but you also have to hope that your phone is charged and that you remember the pin for your MFA/TFA so now you have to concern yourself with all of the following:
- The location of your smartphone
- Smartphone is charged
- Integrity of your smartphones flash storage
- Secure backups of your TFA/MFA
- The user ID that was used [Pin/Email/Username/ETC]
- Passphrase[hopefully]
- This list can go on and on...
With SQRL you are offered a QR code which you can scan or click (depending if you're on a mobile browser or not). This QR code sends a bunch of gibberish to your mobile scanner app which you now use your private master key which is generated by the mobile app and then send the signed result back to the website/service to prove you are who you are and that you're checking in.
The Issues With SQRL
- Location of your smartphone
- Integrity of your smartphones flash storage
- Your ability to securely back up SQRL identities
- Remembering your Passphrase for SQRL
- This list is significantly shorter and a broader explanation and case for use is made more effectively on the websites linked in the opening paragraph.