Passwords and freedom: can we lose the former and retain the latter?

Transcript

1. François Marier – @fmarier passwords and freedom: can we lose

   the former and retain the latter?

2. passwords

3. problem #1: passwords are hard to secure

4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None
13. None

14. passwords are hard to secure they are a liability

15. ALTER TABLE user DROP COLUMN password;

16. problem #2: passwords are hard to remember

17. pick an easy password

18. pick an easy password use it everywhere

19. None
20. None

21. decentralized

22. privacy ®

23. existing login systems are not good enough

24. ideal web-wide identity system

25. • decentralized • simple • cross-browser ideal web-wide identity system

26. • decentralized • simple • cross-browser ideal web-wide identity system

27. • decentralized • simple • cross-browser ideal web-wide identity system

28. • decentralized • simple • cross-browser

29. how does it work?

30. [email protected]

31. None

32. demo #1: http://crossword.thetimes.co.uk/ [email protected]

33. Persona is already a decentralized system

34. decentralization is the answer, but it's not a product adoption

    strategy

35. we can't wait for all domains to adopt Persona

36. we can't wait for all domains to adopt Persona solution:

    a temporary centralized fallback

37. demo #2: http://sloblog.io [email protected]

38. Persona already works with all email domains

39. identity bridging

40. demo #3: http://www.reasonwell.com/ [email protected]

41. None
42. None
43. None

44. Persona supports all modern browsers >= 8

45. Persona is decentralized, simple and cross-browser

46. it's simple for users, but is it also simple for

    developers?
47. None

48. <script src=”https://login.persona.org/include.js”> </script> </body></html>

49. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

50. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

51. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

52. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

53. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
54. None

55. navigator.id.request()

56. None
57. None
58. None

59. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

60. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

61. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify

62. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify

63. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” }

64. { status: “failed”, reason: “assertion has expired” }

65. None
66. None
67. None

68. navigator.id.logout()

69. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
70. None

71. 1. load javascript library

72. 1. load javascript library 2. setup login & logout callbacks

73. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons

74. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership

75. you can add support for Persona in four easy steps

76. one simple request

77. None

78. building a new site: default to Persona

79. working on an existing site/app: add support for Persona

80. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

81. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

    }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

82. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

83. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

84. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

85. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

86. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

87. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

88. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

89. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

90. © 2013 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: