WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 2 years ago

Last modified 2 years ago

#28554 closed feature request (wontfix)

Add Support for Secure Quick Reliable Login (SQRL) into WordPress core

Reported by: pbearne Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:
PR Number:

Description

Hi All

This is a bit early as the clients/political are still being written so I am starting this post get the conversation going.

https://www.grc.com/sqrl/sqrl-login-sample.png

But having read the specs I believe this is major step forward in two factor login as there is No “shared secrets” with websites.

Reads the details here https://www.grc.com/sqrl/sqrl.htm

Some work on a pluggin has been started here[ https://github.com/timnolte/sqrl-wp-plugin]

One of the problems that I can see maybe the lack of PHP modules on some Hosts for the cypto but until we have explored we won't know.

The reason that I want this (and Google Authantoractor) in core is that this needs to done right with lots of eyes on it and not left to couple of guys who hack a plug-in together :-)

I would be happy to help with this but no way do I trust my code enough to be the only coder something as important as this :-)

Paul

Change History (7)

#1 @johnbillion
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to maybelater
  • Status changed from new to closed

I'm going to go ahead and close this as wontfix, for the simple reason that any new mechanisms like this are best implemented as a plugin. If the plugin gains traction then it can always be considered at a later date.

That said, I can't imagine that this is something that would get added to WordPress. It's just another form of third party authentication, which is always best implemented as a plugin so users can choose which authentication systems their site supports.

#2 in reply to: ↑ description @MikesTooLz
4 years ago

  • Resolution maybelater deleted
  • Status changed from closed to reopened

Replying to pbearne:
This needs to be Re-Opened as the protcals have all been finalized and the clients are all being fixed and having their final touches put in place.

Hi All

This is a bit early as the clients/political are still being written so I am starting this post get the conversation going.

https://www.grc.com/sqrl/sqrl-login-sample.png

But having read the specs I believe this is major step forward in two factor login as there is No “shared secrets” with websites.

Reads the details here https://www.grc.com/sqrl/sqrl.htm

Some work on a pluggin has been started here[ https://github.com/timnolte/sqrl-wp-plugin]

One of the problems that I can see maybe the lack of PHP modules on some Hosts for the cypto but until we have explored we won't know.

The reason that I want this (and Google Authantoractor) in core is that this needs to done right with lots of eyes on it and not left to couple of guys who hack a plug-in together :-)

I would be happy to help with this but no way do I trust my code enough to be the only coder something as important as this :-)

Paul

#3 follow-up: @pento
4 years ago

  • Resolution set to maybelater
  • Status changed from reopened to closed

@johnbillion's point still stands, this is best done as a plugin, it can be considered for core if it gains traction.

Apart from that, anything that requires a smartphone for logging in has significant accessibility and user experience issues to consider - there'd need to be a very strong case for adding an authentication method that excludes people who don't have a smartphone.

#4 in reply to: ↑ 3 @kb9gxk
4 years ago

The implementation of sQRl includes the use of Desktops. If you read the specs, the QR is clickable with a sqrls:// or sqrl:// URL for an app to call for authentication. The user will have a desktop app that will monitor for these calls and take action. I'm not saying this can't be a plugin, my argument is that you are stating that it can only be used with smartphones is incorrect and misinformed.

Replying to pento:

@johnbillion's point still stands, this is best done as a plugin, it can be considered for core if it gains traction.

Apart from that, anything that requires a smartphone for logging in has significant accessibility and user experience issues to consider - there'd need to be a very strong case for adding an authentication method that excludes people who don't have a smartphone.

#5 @PCServices
2 years ago

  • Resolution maybelater deleted
  • Status changed from closed to reopened

I'd just like to add a 'me too' to the request to get SQRL login built into Wordpress.

See https://www.grc.com/sqrl/sqrl.htm for all of the information about SQRL, the specs, the methodology and other resources.

#6 @johnbillion
2 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

This really has no place in WordPress core, in the same way that SAML, OpenID, BasicAuth, or any other secondary authentication mechanism doesn't.

This is best implemented as a plugin, so those who want to try it out can do so.

Aside: SQRL makes many bold claims. I wouldn't even consider trusting it without seeing substantial peer review from the security community.

#7 @my1xt
2 years ago

well they claim many things that are reasonable considering how it works, may I ask what the "bold" claims are?

peer review and stuff is sure a thing that would help SQRL, but I think the origin (Steve Gibson from GRC) has at least SOME Credibility, so while surely not fully trusting it, the "dont even consider trusting" is imo a bit far.

but it's true that this might be better for a plugin, The reason from the OP certainly stands that a core feature is usually developed by people who know Wordpress and stuff, while some plugins may be just "hacked together" (while others are awesome, true), I dont know whether there are plugins by the wordpress team but for such security related stuff this may be a nice option.

Note: See TracTickets for help on using tickets.