Is it possible to integrate SQRL with FIDO protocol and hardware keys?

[ghost]

Hi all!

1. feature-name

Is it possible to integrate SQRL with FIDO protocol and hardware keys?

2. feature-description

2.1 context

1. One of the things I miss is the integration with hardware keys and the FIDO protocol within SQRL
2. There was a technical discussion on Bitwarden about integrating SQRL - however this was not implemented for practical security/user privacy reasons
3. One of the problems presented was the one I mentioned above: 'I miss is the integration with hardware keys and the FIDO protocol within SQRL' - How can we check if a device is correctly assessing a qrcode? what if that qrcode is not a phishing?
4. From what I researched, this library is the most complete and implements SQRL - I don't work in any software development/company in terms of backend/devops etc - I only work as a freelance frontend developer - Although I read a lot about cybersecurity in web applications. Is it possible to integrate SQRL with FIDO protocol and hardware keys?

2.2 why

Further enhances the security of the SQRL protocol

3. references

• https://community.bitwarden.com/t/steve-gibson-from-grc-and-sqrl/26638
• https://community.bitwarden.com/t/sqrl-identity/273
• https://community.bitwarden.com/t/sign-in-using-qr-code-without-master-password/15727
• https://community.bitwarden.com/t/temporary-master-password/9725
• https://fidoalliance.org/how-fido-works/
• https://doubleoctopus.com/security-wiki/protocol/fast-identity-online/
• https://fidoalliance.org/
• https://www.grc.com/sqrl/sqrl_explained.pdf
• https://www.grc.com/sqrl/sqrl_cryptography.pdf
• https://www.grc.com/sqrl/sqrl_on_the_wire.pdf
• https://www.grc.com/sqrl/sqrl_operating_details.pdf
• https://www.grc.com/sqrl/SQRL_Explained.pdf

[Jaaap]

This is a complex topic. The first thing we have to make clear is: what exactly are you asking?

1. To store the SQRL secret on a hardware device (for use on websites that support SQRL)
2. To use a hardware device + FIDO as a second factor (for use on websites that support SQRL)
3. To use SQRL's identity for synthesizing FIDO2 identities (for use on websites that support FIDO2)

[ghost]

@Jaaap Hi! How are you?

1. analysis/observation

So... In the technical discussions about sqrl integration in Bitwarden, the central technical discussion was this: '2. To use a hardware device + FIDO as a second factor (for use on websites that support SQRL)'.

• Although, some Bitwarden people have thought of this idea: '1. To store the SQRL secret on a hardware device (for use on websites that support SQRL)' too.

2. notes

1. About this issue I open here I'm arguing about: '2. To use a hardware device + FIDO as a second factor (for use on websites that support SQRL)' too.
2. But... So... I didn't think about it: '3. To use SQRL's identity for synthesizing FIDO2 identities (for use on websites that support FIDO2)' or '1. To store the SQRL secret on a hardware device (for use on websites that support SQRL)'.

[ghost]

Hi all!