Securing the Web without site-specific passwords

Transcript

1. François Marier – @fmarier Securing the Web without site-specific passwords

2. François Marier – @fmarier F**k all of these passwords, we

   can do better than this!

3. solving the password problem on the web

4. problem #1: passwords are hard to secure

5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None
13. None
14. None

15. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

16. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

17. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

18. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

19. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

20. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines

21. passwords are hard to secure they are a liability

22. ALTER TABLE user DROP COLUMN password;

23. problem #2: passwords are hard to remember

24. users have two strategies

25. 1. pick an easy password

26. None
27. None
28. None

29. 2. reuse your password

30. negative externality: sites that don't care about security impose a

    cost on more important sites

31. passwords are hard to remember they need to be reset

32. None

33. control email account control all accounts =

34. existing login solutions

35. client certificates

36. None

37. centralised authorities

38. existing login systems are not good enough

39. ideal web-wide identity system

40. • decentralised • simple • cross-browser ideal web-wide identity system

41. • decentralised • simple • cross-browser ideal web-wide identity system

42. • decentralised • simple • cross-browser ideal web-wide identity system

43. • decentralised • simple • cross-browser

44. how does it work?

45. [email protected]

46. getting a proof of email ownership

47. authenticate?

48. authenticate? public key

49. authenticate? public key signed public key

50. you have a signed statement from your provider that you

    own your email address
51. None

52. logging into a 3rd party site

53. Valid for: 2 minutes wikipedia.org assertion

54. Valid for: 2 minutes wikipedia.org check audience assertion

55. Valid for: 2 minutes wikipedia.org check audience check expiry assertion

56. Valid for: 2 minutes wikipedia.org check audience check expiry check

    signature assertion

57. assertion Valid for: 2 minutes wikipedia.org public key

58. assertion Valid for: 2 minutes wikipedia.org

59. assertion session cookie

60. demo #1: http://crossword.thetimes.co.uk/ [email protected]

61. Persona is already a decentralised system

62. decentralisation matters for:

63. decentralisation matters for: • choice • security • innovation

64. decentralisation matters for: • choice • security • innovation

65. decentralisation matters for: • choice • security • innovation

66. SMS with PIN codes

67. SMS with PIN codes Jabber / XMPP

68. SMS with PIN codes Jabber / XMPP Yubikeys

69. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

70. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates

71. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }

72. decentralisation enables innovation

73. decentralisation is the answer, but it's not a product adoption

    strategy

74. we can't wait for all domains to adopt Persona

75. we can't wait for all domains to adopt Persona solution:

    a temporary centralised fallback

76. demo #2: http://sloblog.io/ [email protected]

77. Persona already works with all email domains

78. identity bridging

79. demo #3: http://www.reasonwell.com/ [email protected]

80. None
81. None
82. None

83. Persona supports all modern browsers >= 8

84. Persona is decentralised, simple and cross-browser

85. it's simple for users, but is it also simple for

    developers?
86. None

87. <script src=”https://login.persona.org/include.js”> </script> </body></html>

88. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

89. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

90. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

91. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

92. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
93. None

94. navigator.id.request()

95. None
96. None
97. None

98. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

99. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

100. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify

101. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify

102. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

     “login.persona.org” }

103. { status: “failed”, reason: “assertion has expired” }

104. None
105. None
106. None

107. navigator.id.logout()

108. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
109. None

110. 1. load javascript library

111. 1. load javascript library 2. setup login & logout callbacks

112. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons

113. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons 4. verify proof of ownership

114. you can add support for Persona in four easy steps

115. one simple request

116. None

117. building a new site: default to Persona

118. working on an existing site: add support for Persona

119. we need your help to eliminate site-specific passwords

120. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

     https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

121. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

     }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

122. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

123. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

124. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

125. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

126. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

127. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

128. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

129. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

130. © 2013 François Marier <[email protected]> This work is licensed under

     a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: