Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Everybody Hates Passwords - With Persona, Your Site Doesn't Need One.

Everybody Hates Passwords - With Persona, Your Site Doesn't Need One.

Slides for the Persona talk I was to give at Front Trends in Warsaw, but had to pull out of at the last moment.

B7581393f6d1960ea7721789cbbe5c36?s=128

Shane Tomlinson

April 24, 2013
Tweet

Transcript

  1. Everybody hates passwords (your site doesn't need one) Shane Tomlinson

    shanetomlinson.com — stomlinson@mozilla.com — @shane_tomlinson
  2. Agenda: Sign-in in 2013 Live demo Live acting Code MFBT!

  3. WHY SHOULD I CARE?

  4. conversion rate

  5. # hits signup

  6. # hits signup signup_complete

  7. # hits signup signup_complete l o s t cust- omers

  8. State of authentication 2013 Photo Courtesy of: Justin Hobson http://commons.wikimedia.org/wiki/File:F5_tornado_Elie_Manitoba_2007.jpg

  9. Username: shane.tomlinson Password: **************** X Sign in UX Disaster

  10. Username: shane.tomlinson Password: **************** X Sign in Username Collisions

  11. Email: shane.tomlinson@eyedee.me Password: **************** X Sign in Email Verification

  12. Email: shane.tomlinson@eyedee.me Password: **************** X Sign in Passwords

  13. None
  14. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery
  15. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery
  16. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery
  17. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery
  18. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery
  19. None
  20. Call in The Wolf (3rd party auth)

  21. 3rd Party Authentication • Eliminate site specific usernames and passwords

  22. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about
  23. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about • No email verification or resets
  24. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about • No email verification or resets • They do security better than you do
  25. “social” authentication

  26. None
  27. Authentication tied to a social graph?

  28. No thanks.

  29. Button Overload

  30. Centralized gatekeepers have control over your customers

  31. None
  32. None
  33. Advantage: decentralized

  34. Advantage: decentralized Disadvantages:

  35. Advantage: decentralized Disadvantages: Terrible UX

  36. Advantage: decentralized Disadvantages: Terrible UX Security is very complicated

  37. Advantage: decentralized Disadvantages: Terrible UX Security is very complicated Privacy

    concerns
  38. Existing solutions are not good enough

  39. None
  40. None
  41. decentralized

  42. privacy-sensitive decentralized

  43. privacy-sensitive simple decentralized

  44. privacy-sensitive simple open source decentralized

  45. (live demo)

  46. Persona is easy

  47. How Does It Work?

  48. (Live Acting)

  49. None
  50. None
  51. None
  52. None
  53. None
  54. None
  55. two 2-party transactions + a public key request (browser is

    the mediator)
  56. None
  57. None
  58. None
  59. You already understand the concept

  60. Photo courtesy of: gerlos http://www.flickr.com/photos/gerlos/3119891607/sizes/o/in/photostream/ Achieving the vision

  61. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

  62. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

  63. None
  64. None
  65. fallback identity provider

  66. None
  67. Support for all email providers

  68. Photo courtesy of Kevin Cole http://www.flickr.com/photos/kevcole/4436427104/sizes/o/in/photostream/

  69. Seamless first run experience for ~70% of North American market

    (& no verification email)
  70. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

  71. None
  72. A Firefox only solution is NOT ENOUGH

  73. js <script src=”https://login.persona.org/include.js”></script>

  74. support for all modern browsers >= 8

  75. support for all modern browsers >= 8

  76. A decentralized solution that just works

  77. Persona on your site

  78. <script src=”https://login.persona.org/include.js”></script> </body></html> Include the shim

  79. <script> navigator.id.watch({ signedInUser: <null || email@domain.com>, onlogin: function(assertion) { //

    more on this later }, onlogout: function() { window.location = '/logout'; } }); </script> Setup navigator.id.watch
  80. <script> … $(“#login”).click(function(evt) { evt.preventDefault(); navigator.id.request(); }); </script> Hook up

    login button
  81. <script> … $(“#logout”).click(function(evt) { evt.preventDefault(); navigator.id.logout(); }); </script> Hook up

    logout button
  82. signedInUser: <null || email@domain.com>, onlogin: function(assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function() { Send assertion to backend for verification
  83. function onlogin(assertion) { var body = qs.stringify({ assertion: assertion, audience:

    'http://123done.org' }); var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResp); request.write(body); request.end(); } Server side assertion verification
  84. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “stomlinson@mozilla.com”, issuer:

    “login.persona.org” } Verifier response – all good
  85. { status: “failed”, reason: “assertion has expired” } Verifier response

    – bad jiji
  86. 46 Persona Libraries

  87. Persona is easy to integrate, no crypto required

  88. • Existing solutions are not good enough • Persona is

    easy • A decentralized solution that just works • Persona is easy to integrate, no crypto required
  89. You can help! Add Persona to your site Tell us

    about it (good and bad) Ask one site to support Persona
  90. RTFM: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @shane_tomlinson

    https://shanetomlinson.com