Passwords suck, but centralized proprietary services are not the answer

Transcript

1. François Marier – @fmarier P a s s w o

   r d s s u c k but centralized proprietary services are not the answer

2. member number 4061

3. None

4. 501c3

5. keeping the web open & innovative mission

6. free software privacy users in control principles

7. threat: passwords

8. threat: passwords password alternatives

9. why?

10. passwords are hard to remember

11. None

12. re-use

13. None
14. None
15. None
16. None
17. None
18. None
19. None
20. None

21. not just another technical problem

22. None
23. None
24. None

25. wanted: better login solution for free software developers

26. None

27. decentralized

28. myid.com/u/francois

29. None
30. None
31. None
32. None

33. privacy ®

34. using the web should not require a Facebook account

35. None

36. decentralized

37. privacy-sensitive decentralized

38. privacy-sensitive simple decentralized

39. privacy-sensitive simple free software decentralized

40. in your browser

41. how does it work?

42. [email protected]

43. <digital signatures 101>

44. private public

45. public

46. My name is François Marier and my email is too

    long to fit on one line.

47. My name is François Marier and my email is too

    long to fit on one line. private

48. My name is François Marier and my email is too

    long to fit on one line. public

49. sign verify

50. </digital signatures 101>

51. [email protected]

52. getting a proof of email ownership

53. authenticate?

54. authenticate? public key

55. authenticate? public key signed public key

56. you have a signed statement from your provider that you

    own your email address
57. None
58. None
59. None
60. None
61. None
62. None
63. None

64. logging into a 3rd party site

65. assertion Valid for: 2 minutes mediagoblin.org

66. check audience assertion Valid for: 2 minutes mediagoblin.org

67. check audience check expiry assertion Valid for: 2 minutes mediagoblin.org

68. check audience check expiry check signature assertion Valid for: 2

    minutes mediagoblin.org

69. assertion public key Valid for: 2 minutes mediagoblin.org

70. assertion Valid for: 2 minutes mediagoblin.org

71. assertion session cookie

72. Persona is federated & protects your privacy

73. achieving the vision

74. None

75. email providers browser vendors

76. email providers

77. [email protected]

78. [email protected]

79. fallback identity provider

80. None
81. None
82. None

83. persona.org account

84. support for all email providers

85. browser vendors

86. navigator.id.*

87. None
88. None
89. None

90. js

91. support for all modern browsers >= 8

92. support for all modern browsers >= 8

93. support for free browsers too

94. email providers browser vendors

95. using it on your site

96. None

97. <script src=”https://login.persona.org/include.js”> </script> </body></html>

98. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

99. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

100. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

101. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

102. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
103. None

104. navigator.id.request()

105. None
106. None
107. None

108. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

109. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

110. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', Data={ "assertion": assertion, "audience":

     'http://123done.org'}) data = page.json return data.status == 'okay'

111. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', Data={ "assertion": assertion, "audience":

     'http://123done.org'}) data = page.json return data.status == 'okay'

112. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

     “login.persona.org” }

113. { status: “failed”, reason: “assertion has expired” }

114. None
115. None
116. None

117. navigator.id.logout()

118. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
119. None

120. 1. load javascript library

121. 1. load javascript library 2. setup login & logout callbacks

122. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons

123. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons 4. verify proof of ownership

124. you can add Persona to your site in one afternoon

125. wanna help us solve the password problem?

126. add Persona to your project/site tell us about your experience

     email one site asking for it

127. add Persona to your project/site tell us about your experience

     email one site asking for it

128. add Persona to your project/site tell us about your experience

     email one site asking for it
129. None

130. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

     https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

131. Who's using Persona?

132. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

     }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

133. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

134. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

135. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

136. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

137. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

138. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

139. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

140. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

141. © 2013 François Marier <[email protected]> This work is licensed under

     a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ US passport: https://secure.flickr.com/photos/damian613/5077609023/ Photo credits: