Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Killing Passwords One Site at a Time with Mozilla Persona

Killing Passwords One Site at a Time with Mozilla Persona

There are too many passwords in the world. Mozilla Persona is a fully decentralized, federated, privacy respecting login system that kills passwords one site at a time.

Shane Tomlinson

March 14, 2013
Tweet

More Decks by Shane Tomlinson

Other Decks in Technology

Transcript

  1. UX

  2. bcrypt per-user salt site secret password & lockout policies secure

    recovery 2013 2013 password password guidelines guidelines
  3. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about
  4. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about * No email verification or resets
  5. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about * No email verification or resets * They have more money to invest in security
  6. My name is François Marier and my email is too

    long to fit on one line. private
  7. My name is François Marier and my email is too

    long to fit on one line. public
  8. js

  9. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership
  10. You can help! Add Persona to your site Tell us

    about it (good and bad) Ask one site to support Persona
  11. <script> navigator.id.watch({ signedInUser: <null || [email protected]>, onlogin: function(assertion) { //

    more on this later }, onlogout: function() { window.location = '/logout'; } }); </script> Setup navigator.id.watch
  12. signedInUser: <null || [email protected]>, onlogin: function(assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function() { Send assertion to backend for verification
  13. function onlogin(assertion) { var body = qs.stringify({ assertion: assertion, audience:

    'http://123done.org' }); var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResp); request.write(body); request.end(); } Server side assertion verification