Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Persona: in your browsers, killing your passwords

Persona: in your browsers, killing your passwords

Introduction to Persona, a new cross-browser login system for the web that's built entirely in Javascript. Powered by node.js on the backend, it pushes most of the crypto to the browser in order to create a secure and privacy-sensitive experience.

Francois Marier

November 15, 2012
Tweet

More Decks by Francois Marier

Other Decks in Programming

Transcript

  1. bcrypt per-user salt site secret password & lockout policies secure

    recovery 2012 2012 password password guidelines guidelines
  2. js

  3. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  4. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  5. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  6. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  7. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  8. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  9. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  10. var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST',

    headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResponse);
  11. var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST',

    headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResponse); var body = qs.stringify({ assertion: assertion, audience: 'http://123done.org' }); request.write(body); request.end();
  12. var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST',

    headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResponse); var body = qs.stringify({ assertion: assertion, audience: 'http://123done.org' }); request.write(body); request.end();
  13. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  14. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership
  15. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://hacks.mozilla.org/category/a-node-js-holiday-season/ @fmarier http://fmarier.org
  16. © 2012 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/ Beach flower: https://secure.flickr.com/photos/vwingate/4696429215/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Photo credits: