Everybody Hates Passwords - With Persona, Your Site Doesn't Need One.

Transcript

1. Everybody hates passwords (your site doesn't need one) Shane Tomlinson

   shanetomlinson.com — [email protected] — @shane_tomlinson

2. Agenda: Sign-in in 2013 Live demo Live acting Code MFBT!

3. WHY SHOULD I CARE?

4. conversion rate

5. # hits signup

6. # hits signup signup_complete

7. # hits signup signup_complete l o s t cust- omers

8. State of authentication 2013 Photo Courtesy of: Justin Hobson http://commons.wikimedia.org/wiki/File:F5_tornado_Elie_Manitoba_2007.jpg

9. Username: shane.tomlinson Password: **************** X Sign in UX Disaster

10. Username: shane.tomlinson Password: **************** X Sign in Username Collisions

11. Email: [email protected] Password: **************** X Sign in Email Verification

12. Email: [email protected] Password: **************** X Sign in Passwords

13. None

14. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

15. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

16. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

17. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery

18. bcrypt/scrypt per-user salt site secret password & lockout policies secure

    recovery
19. None

20. Call in The Wolf (3rd party auth)

21. 3rd Party Authentication • Eliminate site specific usernames and passwords

22. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about

23. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about • No email verification or resets

24. 3rd Party Authentication • Eliminate site specific usernames and passwords

    • No password database to worry about • No email verification or resets • They do security better than you do

25. “social” authentication

26. None

27. Authentication tied to a social graph?

28. No thanks.

29. Button Overload

30. Centralized gatekeepers have control over your customers

31. None
32. None

33. Advantage: decentralized

34. Advantage: decentralized Disadvantages:

35. Advantage: decentralized Disadvantages: Terrible UX

36. Advantage: decentralized Disadvantages: Terrible UX Security is very complicated

37. Advantage: decentralized Disadvantages: Terrible UX Security is very complicated Privacy

    concerns

38. Existing solutions are not good enough

39. None
40. None

41. decentralized

42. privacy-sensitive decentralized

43. privacy-sensitive simple decentralized

44. privacy-sensitive simple open source decentralized

45. (live demo)

46. Persona is easy

47. How Does It Work?

48. (Live Acting)

49. None
50. None
51. None
52. None
53. None
54. None

55. two 2-party transactions + a public key request (browser is

    the mediator)
56. None
57. None
58. None

59. You already understand the concept

60. Photo courtesy of: gerlos http://www.flickr.com/photos/gerlos/3119891607/sizes/o/in/photostream/ Achieving the vision

61. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

62. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

63. None
64. None

65. fallback identity provider

66. None

67. Support for all email providers

68. Photo courtesy of Kevin Cole http://www.flickr.com/photos/kevcole/4436427104/sizes/o/in/photostream/

69. Seamless first run experience for ~70% of North American market

    (& no verification email)

70. email providers browser vendors Photo courtesy of: Steve Rainwater http://www.flickr.com/photos/steevithak/2876498214/

71. None

72. A Firefox only solution is NOT ENOUGH

73. js <script src=”https://login.persona.org/include.js”></script>

74. support for all modern browsers >= 8

75. support for all modern browsers >= 8

76. A decentralized solution that just works

77. Persona on your site

78. <script src=”https://login.persona.org/include.js”></script> </body></html> Include the shim

79. <script> navigator.id.watch({ signedInUser: <null || [email protected]>, onlogin: function(assertion) { //

    more on this later }, onlogout: function() { window.location = '/logout'; } }); </script> Setup navigator.id.watch

80. <script> … $(“#login”).click(function(evt) { evt.preventDefault(); navigator.id.request(); }); </script> Hook up

    login button

81. <script> … $(“#logout”).click(function(evt) { evt.preventDefault(); navigator.id.logout(); }); </script> Hook up

    logout button

82. signedInUser: <null || [email protected]>, onlogin: function(assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function() { Send assertion to backend for verification

83. function onlogin(assertion) { var body = qs.stringify({ assertion: assertion, audience:

    'http://123done.org' }); var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResp); request.write(body); request.end(); } Server side assertion verification

84. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” } Verifier response – all good

85. { status: “failed”, reason: “assertion has expired” } Verifier response

    – bad jiji

86. 46 Persona Libraries

87. Persona is easy to integrate, no crypto required

88. • Existing solutions are not good enough • Persona is

    easy • A decentralized solution that just works • Persona is easy to integrate, no crypto required

89. You can help! Add Persona to your site Tell us

    about it (good and bad) Ask one site to support Persona

90. RTFM: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @shane_tomlinson

    https://shanetomlinson.com