Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Persona: a federated and privacy-protecting log...

Persona: a federated and privacy-protecting login system for the whole Web

Websites that need to identify their users commonly use one of two methods: a username & password scheme that's hard to secure and creates a lot of pain for users, or a centralized proprietary service on which many of their users already have accounts.

There must a better way. A cross-browser solution for authenticating users which feels like the Web and preserves the decentralized architecture necessary for an open network. We present Mozilla Persona.

Francois Marier

August 24, 2013

More Decks by Francois Marier

Other Decks in Programming


  1. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  2. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  3. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  4. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  5. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  6. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  7. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  8. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  9. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  10. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  11. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  12. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  13. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

  15. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  16. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  17. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership
  18. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership no API key needed
  19. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  20. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

    }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  21. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  22. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  23. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  24. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  25. © 2013 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: