Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mozilla Persona for your domain

Francois Marier
July 10, 2013
Programming
2
180

Mozilla Persona for your domain

Passwords are a big problem on the Web. Users pick bad ones and re-use them all over the place, developers can’t seem to be able to secure them. We need something better, but almost all of the new login systems for the Web rely on centralised gate keepers. We can do better than this.

Persona is a new way of logging users in. It’s simple, decentralised and allows users to choose who can vouch for them. It’s also designed to provide meaningful privacy to all users regardless of their level of expertise.

This talk will highlight the main features of Persona and introduce the crypto behind its underlying protocol, BrowserID. It will also provide an overview of what organisations can do to support Persona natively on their domains.

Francois Marier

July 10, 2013
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
260
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
250
Hardening Firefox for Privacy and Security
fmarier
0
910
Security and Privacy on the Web in 2016
fmarier
0
180
Privacy and Tracking Protection in Firefox
fmarier
0
220
Security and Privacy on the Web in 2015
fmarier
0
190
Security and Privacy on the Web in 2015
fmarier
0
160
Integrity protection for third-party JavaScript
fmarier
1
720
URL to HTML
fmarier
1
240

Other Decks in Programming

See All in Programming
Direct Style Effect Systems The Print[A] Example A Comprehension Aid
philipschwarz
PRO
0
410
Embedding it into Ruby code
soutaro
2
330
Enjoy Creative Coding with Ruby (RubyKaigi2024)
chobishiba
0
740
WebGLで始める コンピュータグラフィックス入門
heller77
0
390
TypeScriptとGraphQLで実現する 型安全なAPI実装 / TSKaigi 2024
hokaccha
5
2.8k
RubyGems on ruby.wasm
kateinoigakukun
0
130
Escolhendo (ou não) o melhor ORM para o seu projeto
andreiacsilva
1
160
Exploring Type-Informed Lint Rules in Rust based TypeScript Linters
unvalley
3
640
WinActorの勉強を継続する方法
tamai_63
0
130
Long journey of Ruby standard library RubyKaigi 2024
andpad
2
230
ペパボOpenTelemetry革命
pyama86
2
1.1k
戦略的DDDは重いのか? / Is strategic DDD heavy?
pictiny
3
2.1k

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
660
120k
We Have a Design System, Now What?
morganepeng
43
6.8k
Robots, Beer and Maslow
schacon
PRO
155
8k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
BBQ
matthewcrist
80
8.8k
What the flash - Photography Introduction
edds
64
11k
Adopting Sorbet at Scale
ufuk
69
8.6k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
GitHub's CSS Performance
jonrohan
1025
450k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k

Transcript

  1. François Marier – @fmarier Mozilla Persona for your domain

  2. solving the password problem on the web

  3. problem #1: passwords are hard to secure

  4. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  5. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  6. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  7. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  8. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  9. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines

  10. passwords are hard to secure they are a liability

  11. ALTER TABLE user DROP COLUMN password;

  12. problem #2: passwords are hard to remember

  13. None
  14. None

  15. users have two strategies

  16. 1. pick an easy password

  17. None

  18. 2. reuse your password

  19. negative externality: sites that don't care about security impose a

    cost on more important sites

  20. passwords are hard to remember they need to be reset

  21. None

  22. control email account control all accounts =

  23. existing login solutions

  24. client certificates

  25. SAML

  26. None
  27. None

  28. existing login systems are not good enough

  29. • decentralised • simple • cross-browser

  30. how does it work?

  31. [email protected]

  32. getting a proof of email ownership

  33. authenticate?

  34. authenticate? public key

  35. authenticate? public key signed public key

  36. you have a signed statement from your provider that you

    own your email address
  37. None

  38. logging into a 3rd party site

  39. Valid for: 2 minutes wikipedia.org assertion

  40. Valid for: 2 minutes wikipedia.org check audience assertion

  41. Valid for: 2 minutes wikipedia.org check audience check expiry assertion

  42. Valid for: 2 minutes wikipedia.org check audience check expiry check

    signature assertion

  43. assertion Valid for: 2 minutes wikipedia.org public key

  44. assertion Valid for: 2 minutes wikipedia.org

  45. assertion session cookie

  46. demo #1: http://crossword.thetimes.co.uk/ [email protected]

  47. Persona is already a decentralised system

  48. SMS with PIN codes

  49. SMS with PIN codes Jabber / XMPP

  50. SMS with PIN codes Jabber / XMPP Yubikeys

  51. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

  52. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates

  53. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }

  54. decentralisation is the answer, but it's not a product adoption

    strategy

  55. we can't wait for all domains to adopt Persona

  56. we can't wait for all domains to adopt Persona solution:

    a temporary centralised fallback

  57. demo #2: http://sloblog.io/ [email protected]

  58. Persona already works with all email domains

  59. None

  60. Persona supports all modern browsers >= 8

  61. Persona is decentralised, simple and cross-browser

  62. how can I add Persona support to my domain?

  63. support document https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" },

    "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

  64. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  65. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  66. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  67. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  68. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  69. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  70. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  71. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  72. as an organization, you control: • details of the authentication

    process

  73. as an organization, you control: • details of the authentication

    process • the duration of certificates

  74. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Quick_Setup https://developer.mozilla.org/Persona/Implementing_a_Persona_IdP https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

  75. © 2013 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Door man: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ US passport: https://secure.flickr.com/photos/damian613/5077609023/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: