Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The web beyond "usernames & passwords"

Francois Marier
August 18, 2012
Programming
3
370

The web beyond "usernames & passwords"

Persona is a new cross-browser login and identity system for the web that is pragmatic, federated, and serves the user. Unlike other popular solutions, it puts a strong emphasis on privacy protection and makes your browser the trusted intermediary. Developed by Mozilla, it is based on the simple idea of users demonstrating ownership of their email address (with a generous serving of crypto magic under the hood).

Video: https://www.youtube.com/watch?v=T6Iu7KgiC0A or https://www.youtube.com/watch?v=iZBTc7iEkQY

Francois Marier

August 18, 2012
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
260
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
250
Hardening Firefox for Privacy and Security
fmarier
0
910
Security and Privacy on the Web in 2016
fmarier
0
180
Privacy and Tracking Protection in Firefox
fmarier
0
210
Security and Privacy on the Web in 2015
fmarier
0
180
Security and Privacy on the Web in 2015
fmarier
0
160
Integrity protection for third-party JavaScript
fmarier
1
710
URL to HTML
fmarier
1
240

Other Decks in Programming

See All in Programming
エンターテイメント業界で利用されるAWS
demuyan
0
200
Milestoner
bkuhlmann
1
400
Git Lint
bkuhlmann
4
740
Ruby Function Composition
bkuhlmann
1
330
Netty Chicago Java User Group 2024-04-17
sullis
0
110
What We Can Learn From OSS
inouehi
0
400
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
190
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.2k
Javaエンジニアのための Nodejs/Nuxt3入門
hidekatsu_izuno
0
280
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
230
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
280
Folding Cheat Sheet #3
philipschwarz
PRO
0
110

Featured

See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Writing Fast Ruby
sferik
620
60k
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
Bash Introduction
62gerente
604
210k
How to Ace a Technical Interview
jacobian
272
22k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k

Transcript

  1. François Marier – @fmarier the web beyond usernames & passwords

  2. Username: guido Password: ****************

  3. security

  4. None
  5. None
  6. None
  7. None
  8. None
  9. None

  10. bcrypt

  11. bcrypt per-user salt

  12. bcrypt per-user salt site secret

  13. None

  14. conversion rate

  15. # hits signup

  16. # hits signup signup_complete

  17. # hits signup signup_complete l o s t cust- omers

  18. existing solutions

  19. client certificates

  20. centralized authorities

  21. None
  22. None

  23. distributed

  24. distributed privacy-sensitive

  25. distributed privacy-sensitive simple

  26. distributed privacy-sensitive simple open source

  27. how does Persona work?

  28. [email protected]

  29. getting a proof of email ownership

  30. getting a proof of email ownership authenticate?

  31. getting a proof of email ownership authenticate? public key

  32. getting a proof of email ownership authenticate? public key signed

    public key

  33. you have a signed statement from your provider that you

    own your email address
  34. None
  35. None
  36. None
  37. None

  38. logging into a 3rd party site

  39. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org assertion

  40. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org check audience assertion

  41. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org check audience check expiry assertion

  42. logging into a 3rd party site Valid for: 2 minutes

    wikipedia.org check audience check expiry check signature assertion

  43. logging into a 3rd party site assertion Valid for: 2

    minutes wikipedia.org public key

  44. logging into a 3rd party site assertion Valid for: 2

    minutes wikipedia.org

  45. logging into a 3rd party site assertion session cookie

  46. how much work does it take?

  47. only 75 lines

  48. only 75 lines html – js – python

  49. None

  50. <head> <script src=”https://login.persona.org/include.js”> </script> </head>

  51. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  52. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  53. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  54. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  55. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  56. None

  57. navigator.id.request()

  58. None
  59. None

  60. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

  61. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

  62. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', Data={ "assertion": assertion, "audience":

    'http://123done.org'}) data = page.json return data.status == 'okay'

  63. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” }
  64. None

  65. navigator.id.logout()

  66. None

  67. navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

  68. 1. load javascript library

  69. 1. load javascript library 2. setup login & logout callbacks

  70. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons

  71. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership

  72. decentralization status

  73. 1. identity providers

  74. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “eyedee.me” }

  75. fallback IdP: login.persona.org

  76. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “mozilla.com” }

  77. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” }
  78. None
  79. None

  80. support for all email providers

  81. 2. browser support

  82. navigator.id.*

  83. <head> <script src=”https://login.persona.org/include.js”> </script> </head>

  84. support for all modern browsers >= 8

  85. None

  86. 3. assertion verification

  87. https://verifier.login.persona.org

  88. =

  89. Persona is open for business!

  90. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/en-US/docs/BrowserID/Why_BrowserID https://developer.mozilla.org/en-US/docs/BrowserID/Quick_Setup https://github.com/mozilla/browserid-cookbook/tree/master/python

    https://github.com/mozilla/browserid/wiki/BrowserID-Libraries https://github.com/mozilla/django-browserid http://123done.org/ @fmarier http://fmarier.org

  91. © 2012 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Photo credits: