Sign in using QR code without master password

raccettura · October 14, 2021, 4:22pm

If I’m logged in on one device, it would be nice to use that to login on another device, similar to what apps like What’s App and Discord have done.

A primary use case for facilitating 2FA to be more practical across a variety of devices. There’s really no great hardware option that works everywhere unless you’ve managed to get a USB-C exclusive ecosystem. NFC doesn’t work on the iPad or MBP, there’s no YubiKey A/C (you’d need to carry around your own adapter), there’s no A/lightning version either.

Supporting QR code would mean you could use NFC on the iPhone to login your desktop or tablet even if they don’t have NFC or any other option.

This would facilitate enabling 2FA using only a hardware token since compatibility substantially improves by proxy.

Right now in my case, I can’t rely solely on a FIDO since I don’t want to carry around 2 USB tokens for all my devices. a QR code solution would reduce that to one and allow for FIDO to be the exclusive 2FA method.

dh024 · October 14, 2021, 6:20pm

Hello Robert - welcome! I have moved your request to this existing one, even though they are not exactly identical, but gathering support under one thread and one pool of votes will garner greater collective support for this idea.

I’ll admit that I originally didn’t see the need for this, but you have provided some very compelling use-cases. I think this would be a great feature (so I have added my vote, too). Hopefully others will upvote this as well. Cheers!

jflatz · March 11, 2018, 7:11pm

While SQRL is a new, and not yet found in the wild, it would be nice to get it on the radar.

As a user I should be able to create, import, and export SQRL Identities.

Related: GitHub - Jaaap/SQRL: Secure Quick Reliable Login WebExtension for Firefox and Chrome

ebekker · October 9, 2018, 9:11pm

There are a few libraries for C# as well which would help integrate with the mobile apps and the core codebase, but unfortunately they all seem a bit out of date.

The SQRL spec and reference implementations seems to be getting finalized now, so maybe a good opportunity to see if a C# binding could be produced now.

Would BitWarden be open to a PR to integrate support if it were provided?

jflatz · June 22, 2019, 7:44pm

Update: If you haven’t already heard, SQRL has been finalized.

guy-bit · July 22, 2019, 12:39pm

Yes I agree… If we can get this included… it would put Bitwarden ahead of others for a short time.

Beggrear · October 31, 2019, 4:47pm

Support for this sooner than later would be excellent the idea of having a single factor authentication system that isn’t password username/variant authentication is ideal. Getting the hell away from this problem ASAP really needs dealt with and I really don’t want common metadata across all of my accounts anymore so the sooner the better!

powdering-omission · December 2, 2019, 8:26pm

Here’s a recent video presentation of the basics of SQRL

I would love for this to be integrated into Bitwarden, and hopefully it would help push other websites to start supporting it.

makdaddy8888 · March 10, 2021, 12:29pm

SQRL support for BW

Implement a free open source secure quick and reliable login process from a trusted security Jedi!

Feature function

do away with passwords to store
Sqrl if free, absolutely secure and reliable
no passwords to store so no secrets to keep!

SQRL support for BW

Implement a free open source secure quick and reliable login process from a trusted security Jedi!

Feature function

do away with passwords to store
Sqrl if free, absolutely secure and reliable
no passwords to store so no secrets to keep!

Related topics + references

I have been waiting a long time to suggest this solution to proving identity, if you spend some time reading over SQRL from grc.com you maybe able to implement this identity prover and add a ton of value to your growing community.
last pass have dropped the ball pick it up and score!

anon15241427 · March 23, 2022, 11:26am

@dh024 - can you help me? @rao - can you confirm this information here?

apparently there are 2 topics:

that could be merged here: Sign in using QR code without master password - #18 by dh024

notes

this open topics want to use SQRL in Bitwarden.
I’m not an official member I can’t merge 2 topics e. If you can help I would be happy

anon15241427 · March 23, 2022, 11:30am

truth what you said. So, I asked @dh024 to merge these 2 threads

hope to help ;D

dh024 · March 23, 2022, 12:15pm

Good suggestion @walib65081 - I have merged these topics and their votes together. Cheers!

anon15241427 · March 27, 2022, 10:50pm

Guys, I hope to help the community. Here is a list of 11 sites that talk about sqrl, here it talks about the positives and negatives of the sqrl protocol or scheme as an authentication method:

+7 links talk about other things, but they are interesting subjects

+ more links

Notes

I’m not promoting these sites, just referencing them as a bibliographic source to help in the discussion about QRcode without master password
Perhaps these links can help to verify analytically whether this form of authentication is interesting or not.

anon15241427 · March 28, 2022, 2:41pm

Guys, I hope to help the community.

What if we did this? @dh024 @Ben86 @vachan

I thought about that … Is it possible to adopt a temporary master password for Qrcode?
If going to public places it would make sense to have a qr code with a temporary master password. I could be right or wrong, but I would like to know your opinion.

reference

Temporary Master Password

dh024 · March 28, 2022, 3:15pm

I think the idea of a one-time password is excellent, but I suspect this will be more than a trivial change to the Bitwarden system, given that your master password is the critical piece of information used to create the encryption key to your vault.