Your SlideShare is downloading. ×
Securing the Web without site-specific passwords
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing the Web without site-specific passwords

166

Published on

Identity systems on the Web are a bit of a mess. Surely in 2013, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central …

Identity systems on the Web are a bit of a mess. Surely in 2013, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority.

It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult.

This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new cross-browser federated identity solution from Mozilla.

It will cover:

- a discussion of the complexities and privacy-related concerns that existing identity solutions have
- how crypto is used in Persona to provide both authentication and privacy
- the Persona federation approach: fully distributed with fallbacks
- demos and actual code from sites that have implemented Persona
- the basics of the Persona API so that attendees can go out and easily support this technology on their own sites

Trying to convince users to pick unique (and strong) passwords for each website is a losing battle. What we're proposing is a standard, built into browsers, that leverages the new security features that email providers are now offering. A simple federated solution to eliminate site-specific passwords.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
166
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. François Marier – @fmarierSecuring the Webwithout site-specificpasswords
  • 2. François Marier – @fmarierF**k all of thesepasswords, we cando better than this!
  • 3. solving thepassword problemon the web
  • 4. problem #1:passwords are hard to secure
  • 5. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  • 6. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  • 7. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  • 8. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  • 9. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  • 10. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery20132013passwordpasswordguidelinesguidelines
  • 11. passwords are hard to securethey are a liability
  • 12. ALTER TABLE userDROP COLUMN password;
  • 13. problem #2:passwords are hard to remember
  • 14. users have two strategies
  • 15. 1. pick an easy password
  • 16. 2. reuse your password
  • 17. negative externality:sites that dont care about securityimpose a cost on more important sites
  • 18. passwords are hard to rememberthey need to be reset
  • 19. controlemailaccountcontrolallaccounts=
  • 20. existing login solutions
  • 21. client certificates
  • 22. centralised authorities
  • 23. existing login systemsare not good enough
  • 24. ideal web-wide identity system
  • 25. ●decentralised●simple●cross-browserideal web-wide identity system
  • 26. ●decentralised●simple●cross-browserideal web-wide identity system
  • 27. ●decentralised●simple●cross-browserideal web-wide identity system
  • 28. ●decentralised●simple●cross-browser
  • 29. how does it work?
  • 30. fmarier@gmail.com
  • 31. getting a proof of email ownership
  • 32. authenticate?
  • 33. authenticate?public key
  • 34. authenticate?public keysigned public key
  • 35. you have a signed statement from yourprovider that you own your email address
  • 36. logging into a 3rd party site
  • 37. Valid for: 2 minuteswikipedia.orgassertion
  • 38. Valid for: 2 minuteswikipedia.orgcheck audienceassertion
  • 39. Valid for: 2 minuteswikipedia.orgcheck audiencecheck expiryassertion
  • 40. Valid for: 2 minuteswikipedia.orgcheck audiencecheck expirycheck signatureassertion
  • 41. assertionValid for: 2 minuteswikipedia.orgpublic key
  • 42. assertionValid for: 2 minuteswikipedia.org
  • 43. assertionsession cookie
  • 44. demo #1:http://crossword.thetimes.co.uk/fmariertest@eyedee.me
  • 45. Persona is already adecentralised system
  • 46. decentralisation matters for:
  • 47. decentralisation matters for:●choice●security●innovation
  • 48. decentralisation matters for:●choice●security●innovation
  • 49. decentralisation matters for:●choice●security●innovation
  • 50. SMS with PIN codes
  • 51. SMS with PIN codesJabber / XMPP
  • 52. SMS with PIN codesJabber / XMPPYubikeys
  • 53. SMS with PIN codesJabber / XMPPYubikeysLDAP accounts
  • 54. SMS with PIN codesJabber / XMPPYubikeysLDAP accountsClient certificates
  • 55. SMS with PIN codesJabber / XMPPYubikeysLDAP accountsClient certificatesPassword-wrapped secret key{"public-key": {"algorithm":"RS","n":"685484565272...","e":"65537"},"encrypted-private-key": {"iv": "tmg7gztUQT...","salt": "JMtGwlF5UWY","ct": "8DdOjD1IA1..."},"authentication": "...","provisioning": "..."}
  • 56. decentralisation enablesinnovation
  • 57. decentralisation is the answer, but its nota product adoption strategy
  • 58. we cant wait for all domainsto adopt Persona
  • 59. we cant wait for all domainsto adopt Personasolution: a temporarycentralised fallback
  • 60. demo #2:http://sloblog.io/fmariertest@gmail.com
  • 61. Persona already workswith all email domains
  • 62. identity bridging
  • 63. demo #3:http://www.reasonwell.com/fmariertest@yahoo.com
  • 64. Persona supportsall modern browsers>= 8
  • 65. Persona is decentralised,simple and cross-browser
  • 66. its simple for users, but is it alsosimple for developers?
  • 67. <script src=”https://login.persona.org/include.js”></script></body></html>
  • 68. navigator.id.watch({loggedInEmail: “francois@mozilla.com”,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  • 69. navigator.id.watch({loggedInUser: “francois@mozilla.com”,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  • 70. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  • 71. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  • 72. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /;});},onlogout: function () {window.location = /logout;}});
  • 73. navigator.id.request()
  • 74. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /;});},onlogout: function () {window.location = /logout;}});
  • 75. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /home;});},onlogout: function () {window.location = /logout;}});
  • 76. $ curl -d "assertion=<ASSERTION>&audience=http://123done.org"https://verifier.login.persona.org/verify
  • 77. $ curl -d "assertion=<ASSERTION>&audience=http://123done.org"https://verifier.login.persona.org/verify
  • 78. {status: “okay”,audience: “http://123done.org”,expires: 1344849682560,email: “francois@mozilla.com”,issuer: “login.persona.org”}
  • 79. {status: “failed”,reason: “assertion has expired”}
  • 80. navigator.id.logout()
  • 81. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /home;});},onlogout: function () {window.location = /logout;}});
  • 82. 1. load javascript library
  • 83. 1. load javascript library2. setup login & logout callbacks
  • 84. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  • 85. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  • 86. you can add support forPersona in four easy steps
  • 87. one simple request
  • 88. building a new site:default to Persona
  • 89. working on an existing site:add support for Persona
  • 90. we needyour helpto eliminatesite-specificpasswords
  • 91. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  • 92. identity provider APIhttps://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}
  • 93. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  • 94. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  • 95. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  • 96. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  • 97. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  • 98. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  • 99. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  • 100. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  • 101. © 2013 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/Photo credits:

×