Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Killing Passwords One Site at a Time with Mozilla Persona

Killing Passwords One Site at a Time with Mozilla Persona

There are too many passwords in the world. Mozilla Persona is a fully decentralized, federated, privacy respecting login system that kills passwords one site at a time.

B7581393f6d1960ea7721789cbbe5c36?s=128

Shane Tomlinson

March 14, 2013
Tweet

More Decks by Shane Tomlinson

Other Decks in Technology

Transcript

  1. François Marier @fmarier Killing Passwords One Site at a Time

    with Shane Tomlinson @shane_tomlinson
  2. Agenda: Sign-in in 2013 Live demo Live acting Live coding

    Beer!
  3. Email: shane.tomlinson@eyedee.me Password: **************** X Sign in Roll Your Own

  4. UX

  5. conversion rate

  6. # hits signup

  7. # hits signup signup_complete

  8. # hits signup signup_complete l o s t cust- omers

  9. Security

  10. None
  11. bcrypt per-user salt site secret password & lockout policies secure

    recovery
  12. bcrypt per-user salt site secret password & lockout policies secure

    recovery
  13. bcrypt per-user salt site secret password & lockout policies secure

    recovery
  14. bcrypt per-user salt site secret password & lockout policies secure

    recovery
  15. bcrypt per-user salt site secret password & lockout policies secure

    recovery
  16. bcrypt per-user salt site secret password & lockout policies secure

    recovery 2013 2013 password password guidelines guidelines
  17. None
  18. Externalize the Hard Work (3rd party authentication)

  19. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords
  20. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about
  21. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about * No email verification or resets
  22. Externalize the Hard Work (3rd party authentication) * Eliminate site

    specific usernames and passwords * No password database to worry about * No email verification or resets * They have more money to invest in security
  23. “social” authentication

  24. None
  25. None
  26. None
  27. Button overload

  28. Centralized gatekeepers can delete your customers

  29. None
  30. None
  31. Advantage: decentralized

  32. Advantage: decentralized Disadvantages:

  33. Advantage: decentralized Disadvantages: UX worse than passwords

  34. Advantage: decentralized Disadvantages: UX worse than passwords Security is very

    complicated
  35. Advantage: decentralized Disadvantages: UX worse than passwords Security is very

    complicated Privacy concerns
  36. Existing solutions are not good enough

  37. None
  38. decentralized

  39. privacy-sensitive decentralized

  40. privacy-sensitive simple decentralized

  41. privacy-sensitive simple open source decentralized

  42. What does it look like?

  43. (live demo)

  44. Persona is easy

  45. How does it work?

  46. <digital signatures 101>

  47. private public

  48. public

  49. My name is François Marier and my email is too

    long to fit on one line.
  50. My name is François Marier and my email is too

    long to fit on one line. private
  51. My name is François Marier and my email is too

    long to fit on one line. public
  52. sign verify

  53. </digital signatures 101>

  54. (Live Acting)

  55. None
  56. None
  57. None
  58. None
  59. None
  60. None
  61. achieving the vision

  62. None
  63. email providers browser vendors

  64. email providers

  65. fmarier@gmail.com

  66. fmarier@gmail.com

  67. fallback identity provider

  68. None
  69. None
  70. None
  71. persona.org account

  72. support for all email providers

  73. browser vendors

  74. navigator.id.*

  75. None
  76. None
  77. None
  78. js

  79. support for all modern browsers >= 8

  80. support for all modern browsers >= 8

  81. A decentralized solution that just worksTM

  82. How can I use it on my site?

  83. (Live Coding)

  84. 1. load javascript library

  85. 1. load javascript library 2. setup login & logout callbacks

  86. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons
  87. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership
  88. Persona is easy to integrate, no crypto required.

  89. You can help! Add Persona to your site Tell us

    about it (good and bad) Ask one site to support Persona
  90. Think of the children!

  91. RTFM: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved http://fmarier.org

    @fmarier @shane_tomlinson https://shanetomlinson.com
  92. Using Persona on your site

  93. <script src=”https://login.persona.org/include.js”> </script> </body></html> Include the shim

  94. <script> navigator.id.watch({ signedInUser: <null || email@domain.com>, onlogin: function(assertion) { //

    more on this later }, onlogout: function() { window.location = '/logout'; } }); </script> Setup navigator.id.watch
  95. <script> … $(“#login”).click(function(evt) { evt.preventDefault(); navigator.id.request(); }); </script> Hook up

    login button
  96. <script> … $(“#logout”).click(function(evt) { evt.preventDefault(); navigator.id.logout(); }); </script> Hook up

    logout button
  97. signedInUser: <null || email@domain.com>, onlogin: function(assertion) { $.post('/login', {assertion: assertion},

    function (data) { window.location = '/home'; } ); }, onlogout: function() { Send assertion to backend for verification
  98. function onlogin(assertion) { var body = qs.stringify({ assertion: assertion, audience:

    'http://123done.org' }); var request = https.request({ host: 'verifier.login.persona.org', path: '/verify', method: 'POST', headers: { 'content-type': 'application/x-www-form-urlencoded', 'content-length': body.length } }, onVerifyResp); request.write(body); request.end(); } Server side assertion verification
  99. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer:

    “login.persona.org” } Verifier response – all good
  100. { status: “failed”, reason: “assertion has expired” } Verifier response

    – bad jiji