You're still using passwords on your site?

You're still using passwords on your site?

A few people like to say that passwords are dead, but the reality is far from it. First of all, we can’t get rid of passwords entirely, because the alternatives all suck: physical tokens are easy to lose and retina scans are pretty creepy. What we should focus on is eliminating site-specific passwords.

Mozilla Persona was introduced at OSDC last year, but a number of new things have been added to it since. But more importantly, it’s still the best shot we have at a decentralized web-wide identity system that works for average users and doesn’t violate their privacy.

So I’m back to show you what’s new and to talk about what organizations can gain from adding native support on their domain. It’s time to solve the password problem on the web.

0110e86fdb31486c22dd381326d99de9?s=128

Francois Marier

October 21, 2013
Tweet

Transcript

  1. François Marier – @fmarier You’re still using passwords on your

    site?
  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. problem #1: passwords are hard to secure

  13. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery
  14. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery
  15. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery
  16. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery
  17. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery
  18. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  19. passwords are hard to secure they are a liability

  20. ALTER TABLE user DROP COLUMN password;

  21. problem #2: passwords are hard to remember

  22. None
  23. None
  24. pick an easy password

  25. pick an easy password use it everywhere

  26. passwords are hard to remember they need to be reset

  27. None
  28. control email account control all accounts =

  29. None
  30. “People want a little dating before marriage.” Eric Vishria –

    Rockmelt
  31. None
  32. decentralised

  33. myid.com/u/francois

  34. None
  35. None
  36. privacy ®

  37. existing login systems are not good enough

  38. ideal web-wide identity system

  39. ideal web-wide identity system

  40. ideal web-wide identity system

  41. ideal web-wide identity system

  42. what if it were a standard part of the web

    browser?
  43. None
  44. how does it work?

  45. fmarier@gmail.com

  46. why email addresses?

  47. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  48. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  49. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  50. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  51. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  52. why email addresses? already federated people know their email natural

    association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  53. fmarier@gmail.com

  54. demo #1: http://www.voo.st/ http://bornthiswayfoundation.org fmariertest@eyedee.me

  55. Persona is already a decentralised system

  56. SMS with PIN codes

  57. SMS with PIN codes Jabber / XMPP

  58. SMS with PIN codes Jabber / XMPP Yubikeys

  59. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

  60. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates
  61. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
  62. decentralisation is the answer, but it's not a product adoption

    strategy
  63. we can't wait for all browsers to adopt Persona

  64. navigator.id.*

  65. None
  66. None
  67. None
  68. we can't wait for all browsers to adopt Persona solution:

    a temporary javascript shim
  69. goal: trusted code running in the browser

  70. login.persona.org

  71. localStorage localStorage.setItem("key", serializedKey); var serializedKey = localStorage.getItem("key");

  72. storage tied to login.persona.org

  73. window.postMessage()

  74. https://login.persona.org localStorage postMessage

  75. Persona supports all modern browsers >= 8

  76. we can't wait for all domains to adopt Persona

  77. we can't wait for all domains to adopt Persona solution:

    a temporary centralised fallback
  78. demo #2: http://sloblog.io/ fmariertest@aol.com

  79. Persona already works with all email domains

  80. identity bridging

  81. demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com

  82. None
  83. None
  84. Persona works everywhere

  85. lessons learned

  86. #1user testing is critical

  87. None
  88. None
  89. None
  90. #2nobody wants to be first

  91. “how many users does Persona have?”

  92. None
  93. 700,000,000

  94. #3if a problem has been around for a while, it's

    probably a hard one
  95. see if you can solve part of the problem

  96. $ ssh francois@myserver.com francois@myserver.com's password:

  97. None
  98. Persona is a simple sign-in solution for the web

  99. how simple is it for developers?

  100. None
  101. <script src=”https://login.persona.org/include.js”> </script> </body></html>

  102. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  103. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  104. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  105. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  106. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  107. None
  108. navigator.id.request()

  109. None
  110. None
  111. None
  112. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  113. eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE 1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE 5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE 3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh

    lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM 3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA 2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9 sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw
  114. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  115. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']);

  116. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer:

    “login.persona.org” }
  117. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status

    === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
  118. { status: “failed”, reason: “assertion has expired” }

  119. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status

    === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
  120. None
  121. None
  122. navigator.id.logout()

  123. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  124. None
  125. 1. load javascript library

  126. 1. load javascript library 2. setup login & logout callbacks

  127. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons
  128. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership
  129. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership no API key needed
  130. how simple is it for domain owners?

  131. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }
  132. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }
  133. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }
  134. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }
  135. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }
  136. 1. check for your /.well-known/browserid 2. try the provisioning endpoint

    3. show the authentication page 4. call the provisioning endpoint again
  137. 1. check for your /.well-known/browserid 2. try the provisioning endpoint

    3. show the authentication page 4. call the provisioning endpoint again
  138. 1. check for your /.well-known/browserid 2. try the provisioning endpoint

    3. show the authentication page 4. call the provisioning endpoint again
  139. 1. check for your /.well-known/browserid 2. try the provisioning endpoint

    3. show the authentication page 4. call the provisioning endpoint again
  140. one small request

  141. None
  142. building a new site: default to Persona

  143. working on an existing site/app: add support for Persona

  144. before

  145. after

  146. after navigator.id.request()

  147. None
  148. ALTER TABLE user DROP COLUMN password;

  149. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  150. © 2013 François Marier <francois@mozilla.com> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Yubikey: https://secure.flickr.com/photos/knk/3379897261/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: