Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Everybody Hates Passwords - With Persona, Your Site Doesn't Need One.

Shane Tomlinson
April 24, 2013
Programming
2
570

Everybody Hates Passwords - With Persona, Your Site Doesn't Need One.

Slides for the Persona talk I was to give at Front Trends in Warsaw, but had to pull out of at the last moment.

Shane Tomlinson

April 24, 2013
Tweet

More Decks by Shane Tomlinson

See All by Shane Tomlinson
Killing Passwords One Site at a Time with Mozilla Persona
shanetomlinson
0
260

Other Decks in Programming

See All in Programming
Code Reviews
bkuhlmann
4
890
Git Lint
bkuhlmann
4
750
Milestoner
bkuhlmann
1
410
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
GitHub Copilotのススメ
marcy731
0
190
CQRS/ES avec Symfony, c’est (trop) bien !
jeremyfreeagent
1
640
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
160
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
120
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
220
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
220
Java 22 Overview
kishida
1
180
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
240

Featured

See All Featured
Gamification - CAS2011
davidbonilla
76
4.6k
Principles of Awesome APIs and How to Build Them.
keavy
120
16k
How GitHub (no longer) Works
holman
304
140k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
115
18k
Building Better People: How to give real-time feedback that sticks.
wjessup
354
18k
Agile that works and the tools we love
rasmusluckow
324
20k
Automating Front-end Workflow
addyosmani
1355
200k
Making Projects Easy
brettharned
108
5.5k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Designing Experiences People Love
moore
136
23k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k

Transcript

  1. Everybody hates passwords (your site doesn't need one) Shane Tomlinson

    shanetomlinson.com — [email protected] — @shane_tomlinson

  2. Agenda: Sign-in in 2013 Live demo Live acting Code MFBT!

  3. WHY SHOULD I CARE?

  4. conversion rate

  5. # hits signup

  6. # hits signup signup_complete

  7. # hits signup signup_complete l o s t cust- omers

  8. State of authentication 2013 Photo Courtesy of: Justin Hobson http://commons.wikimedia.org/wiki/File:F5_tornado_Elie_Manitoba_2007.jpg

  9. Username: shane.tomlinson Password: **************** X Sign in UX Disaster

  10. Username: shane.tomlinson Password: **************** X Sign in Username Collisions

  11. Email: [email protected] Password: **************** X Sign in Email Verification

  12. Email: [email protected] Password: **************** X Sign in Passwords

  13. None

  14. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

  15. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

  16. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

  17. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

  18. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery
  19. None

  20. Call in The Wolf (3rd party auth)

  21. 3rd Party Authentication • Eliminate site specific usernames and passwords

  22. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about

  23. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about • No email verification or resets

  24. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about • No email verification or resets • They do security better than you do

  25. “social” authentication

  26. None

  27. Authentication tied to a social graph?

  28. No thanks.

  29. Button Overload

  30. Centralized gatekeepers have control over your customers

  31. None
  32. None

  33. Advantage: decentralized

  34. Advantage: decentralized Disadvantages:

  35. Advantage: decentralized Disadvantages: Terrible UX

  36. Advantage: decentralized Disadvantages: Terrible UX Security is very complicated

  37. Advantage: decentralized Disadvantages: Terrible UX Security is very complicated Privacy

    concerns

  38. Existing solutions are not good enough

  39. None
  40. None

  41. decentralized

  42. privacy-sensitive decentralized

  43. privacy-sensitive simple decentralized

  44. privacy-sensitive simple open source decentralized

  45. (live demo)

  46. Persona is easy

  47. How Does It Work?

  48. (Live Acting)

  49. None
  50. None
  51. None
  52. None
  53. None
  54. None

  55. two 2-party transactions + a public key request (browser is

    the mediator)
  56. None
  57. None
  58. None

  59. You already understand the concept

  60. Photo courtesy of: gerlos http://www.flickr.com/photos/gerlos/3119891607/sizes/o/in/photostream/ Achieving the vision

  61. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

  62. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

  63. None
  64. None

  65. fallback identity provider

  66. None

  67. Support for all email providers

  68. Photo courtesy of Kevin Cole http://www.flickr.com/photos/kevcole/4436427104/sizes/o/in/photostream/

  69. Seamless first run experience for ~70% of North American market

    (& no verification email)

  70. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

  71. None

  72. A Firefox only solution is NOT ENOUGH

  73. js <script src=”https://login.persona.org/include.js”></script>

  74. support for all modern browsers >= 8

  75. support for all modern browsers >= 8

  76. A decentralized solution that just works

  77. Persona on your site

  78. <script src=”https://login.persona.org/include.js”></script> </body></html> Include the shim

  79. <script> navigator.id.watch({ signedInUser: <null || [email protected]>, onlogin: function(assertion) { //

    more on this later }, onlogout: function() { window.location = '/logout'; } }); </script> Setup navigator.id.watch

  80. <script> … $(“#login”).click(function(evt) { evt.preventDefault(); navigator.id.request(); }); </script> Hook up

    login button

  81. <script> … $(“#logout”).click(function(evt) { evt.preventDefault(); navigator.id.logout(); }); </script> Hook up

    logout button

  82. signedInUser: <null || [email protected]>, onlogin: function(assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function() { Send assertion to backend for verification

  83. function onlogin(assertion) { var body = qs.stringify({ assertion: assertion, audience:

    'http://123done.org' }); var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResp); request.write(body); request.end(); } Server side assertion verification

  84. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” } Verifier response – all good

  85. { status: “failed”, reason: “assertion has expired” } Verifier response

    – bad jiji

  86. 46 Persona Libraries

  87. Persona is easy to integrate, no crypto required

  88. • Existing solutions are not good enough • Persona is

    easy • A decentralized solution that just works • Persona is easy to integrate, no crypto required

  89. You can help! Add Persona to your site Tell us

    about it (good and bad) Ask one site to support Persona

  90. RTFM: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @shane_tomlinson

    https://shanetomlinson.com