Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Web beyond "usernames & passwords" (OSDC12)

Francois Marier
December 07, 2012
Programming
1
380

The Web beyond "usernames & passwords" (OSDC12)

Identity systems on the Web are a bit of a mess. Surely in 2012, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority with a privacy policy that can change at a whim.

It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult. It's a lot to ask of the millions of part-time developers out there that are building sites out of some quick HTML, a MySQL database and some PHP Code samples.

This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.

Francois Marier

December 07, 2012
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
290
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
260
Hardening Firefox for Privacy and Security
fmarier
0
990
Security and Privacy on the Web in 2016
fmarier
0
200
Privacy and Tracking Protection in Firefox
fmarier
0
270
Security and Privacy on the Web in 2015
fmarier
0
240
Security and Privacy on the Web in 2015
fmarier
0
180
Integrity protection for third-party JavaScript
fmarier
1
760
URL to HTML
fmarier
1
280

Other Decks in Programming

See All in Programming
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.3k
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.3k
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
150
Outline View in SwiftUI
1024jp
1
320
Jakarta EE meets AI
ivargrimstad
0
590
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
470
「今のプロジェクトいろいろ大変なんですよ、app/services とかもあって……」/After Kaigi on Rails 2024 LT Night
junk0612
5
2.1k
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
290
距離関数を極める! / SESSIONS 2024
gam0022
0
280
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
430
Arm移行タイムアタック
qnighy
0
310
Remix on Hono on Cloudflare Workers
yusukebe
1
280

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Building an army of robots
kneath
302
43k
Gamification - CAS2011
davidbonilla
80
5k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
We Have a Design System, Now What?
morganepeng
50
7.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Speed Design
sergeychernyshev
24
610
The Pragmatic Product Professional
lauravandoore
31
6.3k
Adopting Sorbet at Scale
ufuk
73
9.1k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k

Transcript

  1. François Marier – @fmarier T h e W e b

    b e y o n d “Usernames & Passwords”

  2. Username: francois Password: **************** X Sign in

  3. security

  4. None
  5. None
  6. None
  7. None
  8. None
  9. None

  10. bcrypt

  11. bcrypt per-user salt

  12. bcrypt per-user salt site secret

  13. bcrypt per-user salt site secret password & lockout policies

  14. bcrypt per-user salt site secret password & lockout policies secure

    recovery

  15. bcrypt per-user salt site secret password & lockout policies secure

    recovery 2012 2012 password password guidelines guidelines
  16. None

  17. conversion rate

  18. # hits signup

  19. # hits signup signup_complete

  20. # hits signup signup_complete l o s t cust- omers

  21. existing solutions

  22. client certificates

  23. centralized authorities

  24. None

  25. so... storing passwords is hard

  26. so... storing passwords is hard no suitable alternatives

  27. None

  28. decentralized

  29. privacy-sensitive decentralized

  30. privacy-sensitive simple decentralized

  31. privacy-sensitive simple open source decentralized

  32. in your browser

  33. how does it work?

  34. [email protected]

  35. getting a proof of email ownership

  36. authenticate?

  37. authenticate? public key

  38. authenticate? public key signed public key

  39. you have a signed statement from your provider that you

    own your email address
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None

  47. logging into a 3rd party site

  48. Valid for: 2 minutes wikipedia.org assertion

  49. Valid for: 2 minutes wikipedia.org check audience assertion

  50. Valid for: 2 minutes wikipedia.org check audience check expiry assertion

  51. Valid for: 2 minutes wikipedia.org check audience check expiry check

    signature assertion

  52. assertion Valid for: 2 minutes wikipedia.org public key

  53. assertion Valid for: 2 minutes wikipedia.org

  54. assertion session cookie

  55. achieving that vision

  56. None

  57. email providers browser vendors

  58. email providers

  59. [email protected]

  60. [email protected]

  61. None
  62. None
  63. None

  64. support for all email providers

  65. browser vendors

  66. navigator.id.*

  67. js

  68. support for all modern browsers >= 8

  69. support for all modern browsers >= 8

  70. using it on your site

  71. None

  72. <script src=”https://login.persona.org/include.js”> </script> </body></html>

  73. navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  74. navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  75. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  76. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

  77. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  78. None

  79. navigator.id.request()

  80. None
  81. None
  82. None

  83. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

  84. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

  85. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify

  86. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify

  87. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” }

  88. { status: “failed”, reason: “assertion has expired” }

  89. None
  90. None
  91. None

  92. navigator.id.logout()

  93. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  94. None

  95. 1. load javascript library

  96. 1. load javascript library 2. setup login & logout callbacks

  97. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons

  98. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership

  99. play with Persona on your site tell us about your

    experience email one site asking for it

  100. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

  101. © 2012 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Photo credits:

  102. Who's using Persona?