Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The web beyond "usernames & passwords"

Francois Marier
August 18, 2012
Programming
3
380

The web beyond "usernames & passwords"

Persona is a new cross-browser login and identity system for the web that is pragmatic, federated, and serves the user. Unlike other popular solutions, it puts a strong emphasis on privacy protection and makes your browser the trusted intermediary. Developed by Mozilla, it is based on the simple idea of users demonstrating ownership of their email address (with a generous serving of crypto magic under the hood).

Video: https://www.youtube.com/watch?v=T6Iu7KgiC0A or https://www.youtube.com/watch?v=iZBTc7iEkQY

Francois Marier

August 18, 2012
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
290
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
260
Hardening Firefox for Privacy and Security
fmarier
0
990
Security and Privacy on the Web in 2016
fmarier
0
200
Privacy and Tracking Protection in Firefox
fmarier
0
270
Security and Privacy on the Web in 2015
fmarier
0
240
Security and Privacy on the Web in 2015
fmarier
0
180
Integrity protection for third-party JavaScript
fmarier
1
760
URL to HTML
fmarier
1
280

Other Decks in Programming

See All in Programming
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
530
Jakarta EE meets AI
ivargrimstad
0
600
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
4
640
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
220
Webの技術スタックで マルチプラットフォームアプリ開発を可能にするElixirDesktopの紹介
thehaigo
2
1k
CSC509 Lecture 11
javiergs
PRO
0
180
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
580
現場で役立つモデリング 超入門
masuda220
PRO
15
3.2k
Jakarta EE meets AI
ivargrimstad
0
530
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Mobile First: as difficult as doing things right
swwweet
222
8.9k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
KATA
mclloyd
29
14k
GraphQLとの向き合い方2022年版
quramy
43
13k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Being A Developer After 40
akosma
86
590k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Code Review Best Practice
trishagee
64
17k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Statistics for Hackers
jakevdp
796
220k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k

Transcript

  1. François Marier – @fmarier the web beyond usernames & passwords

  2. Username: guido Password: ****************

  3. security

  4. None
  5. None
  6. None
  7. None
  8. None
  9. None

  10. bcrypt

  11. bcrypt per-user salt

  12. bcrypt per-user salt site secret

  13. None

  14. conversion rate

  15. # hits signup

  16. # hits signup signup_complete

  17. # hits signup signup_complete l o s t cust- omers

  18. existing solutions

  19. client certificates

  20. centralized authorities

  21. None
  22. None

  23. distributed

  24. distributed privacy-sensitive

  25. distributed privacy-sensitive simple

  26. distributed privacy-sensitive simple open source

  27. how does Persona work?

  28. [email protected]

  29. getting a proof of email ownership

  30. getting a proof of email ownership authenticate?

  31. getting a proof of email ownership authenticate? public key

  32. getting a proof of email ownership authenticate? public key signed

    public key

  33. you have a signed statement from your provider that you

    own your email address
  34. None
  35. None
  36. None
  37. None

  38. logging into a 3rd party site

  39. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org assertion

  40. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org check audience assertion

  41. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org check audience check expiry assertion

  42. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org check audience check expiry check signature assertion

  43. logging into a 3rd party site assertion Valid for: 2

    minutes wikipedia.org public key

  44. logging into a 3rd party site assertion Valid for: 2

    minutes wikipedia.org

  45. logging into a 3rd party site assertion session cookie

  46. how much work does it take?

  47. only 75 lines

  48. only 75 lines html – js – python

  49. None

  50. <head> <script src=”https://login.persona.org/include.js”> </script> </head>

  51. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  52. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  53. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  54. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  55. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  56. None

  57. navigator.id.request()

  58. None
  59. None

  60. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

  61. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

  62. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', Data={ "assertion": assertion, "audience":

    'http://123done.org'}) data = page.json return data.status == 'okay'

  63. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” }
  64. None

  65. navigator.id.logout()

  66. None

  67. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

  68. 1. load javascript library

  69. 1. load javascript library 2. setup login & logout callbacks

  70. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons

  71. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership

  72. decentralization status

  73. 1. identity providers

  74. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “eyedee.me” }

  75. fallback IdP: login.persona.org

  76. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “mozilla.com” }

  77. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” }
  78. None
  79. None

  80. support for all email providers

  81. 2. browser support

  82. navigator.id.*

  83. <head> <script src=”https://login.persona.org/include.js”> </script> </head>

  84. support for all modern browsers >= 8

  85. None

  86. 3. assertion verification

  87. https://verifier.login.persona.org

  88. =

  89. Persona is open for business!

  90. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/en-US/docs/BrowserID/Why_BrowserID https://developer.mozilla.org/en-US/docs/BrowserID/Quick_Setup https://github.com/mozilla/browserid-cookbook/tree/master/python

    https://github.com/mozilla/browserid/wiki/BrowserID-Libraries https://github.com/mozilla/django-browserid http://123done.org/ @fmarier http://fmarier.org

  91. © 2012 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Photo credits: