Killing Passwords One Site at a Time with Mozilla Persona

Transcript

1. François Marier @fmarier Killing Passwords One Site at a Time

   with Shane Tomlinson @shane_tomlinson

2. Agenda: Sign-in in 2013 Live demo Live acting Live coding

   Beer!

3. Email: [email protected] Password: **************** X Sign in Roll Your Own

4. UX

5. conversion rate

6. # hits signup

7. # hits signup signup_complete

8. # hits signup signup_complete l o s t cust- omers

9. Security

10. None

11. bcrypt per-user salt site secret password & lockout policies secure

    recovery

12. bcrypt per-user salt site secret password & lockout policies secure

    recovery

13. bcrypt per-user salt site secret password & lockout policies secure

    recovery

14. bcrypt per-user salt site secret password & lockout policies secure

    recovery

15. bcrypt per-user salt site secret password & lockout policies secure

    recovery

16. bcrypt per-user salt site secret password & lockout policies secure

    recovery 2013 2013 password password guidelines guidelines
17. None

18. Externalize the Hard Work (3rd party authentication)

19. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords

20. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about

21. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about * No email verification or resets

22. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about * No email verification or resets * They have more money to invest in security

23. “social” authentication

24. None
25. None
26. None

27. Button overload

28. Centralized gatekeepers can delete your customers

29. None
30. None

31. Advantage: decentralized

32. Advantage: decentralized Disadvantages:

33. Advantage: decentralized Disadvantages: UX worse than passwords

34. Advantage: decentralized Disadvantages: UX worse than passwords Security is very

    complicated

35. Advantage: decentralized Disadvantages: UX worse than passwords Security is very

    complicated Privacy concerns

36. Existing solutions are not good enough

37. None

38. decentralized

39. privacy-sensitive decentralized

40. privacy-sensitive simple decentralized

41. privacy-sensitive simple open source decentralized

42. What does it look like?

43. (live demo)

44. Persona is easy

45. How does it work?

46. <digital signatures 101>

47. private public

48. public

49. My name is François Marier and my email is too

    long to fit on one line.

50. My name is François Marier and my email is too

    long to fit on one line. private

51. My name is François Marier and my email is too

    long to fit on one line. public

52. sign verify

53. </digital signatures 101>

54. (Live Acting)

55. None
56. None
57. None
58. None
59. None
60. None

61. achieving the vision

62. None

63. email providers browser vendors

64. email providers

65. [email protected]

66. [email protected]

67. fallback identity provider

68. None
69. None
70. None

71. persona.org account

72. support for all email providers

73. browser vendors

74. navigator.id.*

75. None
76. None
77. None

78. js

79. support for all modern browsers >= 8

80. support for all modern browsers >= 8

81. A decentralized solution that just worksTM

82. How can I use it on my site?

83. (Live Coding)

84. 1. load javascript library

85. 1. load javascript library 2. setup login & logout callbacks

86. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons

87. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership

88. Persona is easy to integrate, no crypto required.

89. You can help! Add Persona to your site Tell us

    about it (good and bad) Ask one site to support Persona

90. Think of the children!

91. RTFM: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved http://fmarier.org

    @fmarier @shane_tomlinson https://shanetomlinson.com

92. Using Persona on your site

93. <script src=”https://login.persona.org/include.js”> </script> </body></html> Include the shim

94. <script> navigator.id.watch({ signedInUser: <null || [email protected]>, onlogin: function(assertion) { //

    more on this later }, onlogout: function() { window.location = '/logout'; } }); </script> Setup navigator.id.watch

95. <script> … $(“#login”).click(function(evt) { evt.preventDefault(); navigator.id.request(); }); </script> Hook up

    login button

96. <script> … $(“#logout”).click(function(evt) { evt.preventDefault(); navigator.id.logout(); }); </script> Hook up

    logout button

97. signedInUser: <null || [email protected]>, onlogin: function(assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function() { Send assertion to backend for verification

98. function onlogin(assertion) { var body = qs.stringify({ assertion: assertion, audience:

    'http://123done.org' }); var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResp); request.write(body); request.end(); } Server side assertion verification

99. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “[email protected]”, issuer:

    “login.persona.org” } Verifier response – all good

100. { status: “failed”, reason: “assertion has expired” } Verifier response

     – bad jiji