Securing the Web without site-specific passwords

Transcript

1. François Marier – @fmarier Securing the Web without site-specific passwords

2. François Marier – @fmarier F**k all of these passwords, we

   can do better than this!
3. None
4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None

13. problem #1: passwords are hard to secure

14. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

15. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

16. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

17. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

18. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

19. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines

20. passwords are hard to secure they are a liability

21. ALTER TABLE user DROP COLUMN password;

22. problem #2: passwords are hard to remember

23. None
24. None

25. pick an easy password

26. pick an easy password use it everywhere

27. negative externality: sites that don't care about security impose a

    cost on more important sites

28. passwords are hard to remember they need to be reset

29. None

30. control email account control all accounts =

31. existing login solutions

32. client certificates

33. None
34. None

35. decentralised

36. myid.com/u/francois

37. None
38. None

39. privacy ®

40. existing login systems are not good enough

41. ideal web-wide identity system

42. • decentralised • simple • cross-browser ideal web-wide identity system

43. • decentralised • simple • cross-browser ideal web-wide identity system

44. • decentralised • simple cross-browser ideal web-wide identity system

45. what if it were a standard part of the web

    browser?
46. None

47. how does it work?

48. [email protected]

49. [email protected]

50. getting a proof of email ownership

51. authenticate?

52. authenticate? public key

53. authenticate? public key signed public key

54. you have a signed statement from your provider that you

    own your email address
55. None

56. logging into a 3rd party site

57. Valid for: 2 minutes wikipedia.org assertion

58. Valid for: 2 minutes wikipedia.org check audience assertion

59. Valid for: 2 minutes wikipedia.org check audience check expiry assertion

60. Valid for: 2 minutes wikipedia.org check audience check expiry check

    signature assertion

61. assertion Valid for: 2 minutes wikipedia.org public key

62. assertion Valid for: 2 minutes wikipedia.org

63. assertion session cookie

64. demo #1: http://www.voo.st/ [email protected]

65. Persona is already a decentralised system

66. SMS with PIN codes

67. SMS with PIN codes Jabber / XMPP

68. SMS with PIN codes Jabber / XMPP Yubikeys

69. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

70. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates

71. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }

72. decentralisation is the answer, but it's not a product adoption

    strategy

73. we can't wait for all domains to adopt Persona

74. we can't wait for all domains to adopt Persona solution:

    a temporary centralised fallback

75. demo #2: http://sloblog.io/ [email protected]

76. Persona already works with all email domains

77. identity bridging

78. demo #3: http://www.reasonwell.com/ [email protected]

79. None
80. None
81. None

82. Persona supports all modern browsers >= 8

83. Persona is decentralised, simple and cross-browser

84. it's simple for users, but is it also simple for

    developers?
85. None

86. <script src=”https://login.persona.org/include.js”> </script> </body></html>

87. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

88. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

89. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

90. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

91. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
92. None

93. navigator.id.request()

94. None
95. None
96. None

97. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

98. eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE 1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE 5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE 3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh

    lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM 3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA 2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9 sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw

99. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

100. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']);

101. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

     “login.persona.org” }

102. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status

     === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }

103. { status: “failed”, reason: “assertion has expired” }

104. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status

     === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
105. None
106. None

107. navigator.id.logout()

108. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

     function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
109. None

110. 1. load javascript library

111. 1. load javascript library 2. setup login & logout callbacks

112. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons

113. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons 4. verify proof of ownership

114. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons 4. verify proof of ownership no API key needed

115. you can add support for Persona in four easy steps

116. one simple request

117. None

118. building a new site: default to Persona

119. working on an existing site: add support for Persona

120. before

121. after

122. after navigator.id.request()

123. None

124. ALTER TABLE user DROP COLUMN password;

125. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

     https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

126. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

     }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

127. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

128. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

129. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

130. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

131. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

132. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

133. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

134. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

135. © 2013 François Marier <[email protected]> This work is licensed under

     a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: