Securing the Web without site-specific passwords

330
-1

Published on

Identity systems on the Web are a bit of a mess. Surely in 2013, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority.

It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult.

This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new cross-browser federated identity solution from Mozilla.

It will cover:

- a discussion of the complexities and privacy-related concerns that existing identity solutions have
- how crypto is used in Persona to provide both authentication and privacy
- the Persona federation approach: fully distributed with fallbacks
- demos and actual code from sites that have implemented Persona
- the basics of the Persona API so that attendees can go out and easily support this technology on their own sites

Trying to convince users to pick unique (and strong) passwords for each website is a losing battle. What we're proposing is a standard, built into browsers, that leverages the new security features that email providers are now offering. A simple federated solution to eliminate site-specific passwords.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
330
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Securing the Web without site-specific passwords

  1. 1. François Marier – @fmarierSecuring the Webwithout site-specificpasswords
  2. 2. François Marier – @fmarierF**k all of thesepasswords, we cando better than this!
  3. 3. solving thepassword problemon the web
  4. 4. problem #1:passwords are hard to secure
  5. 5. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  6. 6. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  7. 7. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  8. 8. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  9. 9. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  10. 10. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery20132013passwordpasswordguidelinesguidelines
  11. 11. passwords are hard to securethey are a liability
  12. 12. ALTER TABLE userDROP COLUMN password;
  13. 13. problem #2:passwords are hard to remember
  14. 14. users have two strategies
  15. 15. 1. pick an easy password
  16. 16. 2. reuse your password
  17. 17. negative externality:sites that dont care about securityimpose a cost on more important sites
  18. 18. passwords are hard to rememberthey need to be reset
  19. 19. controlemailaccountcontrolallaccounts=
  20. 20. existing login solutions
  21. 21. client certificates
  22. 22. centralised authorities
  23. 23. existing login systemsare not good enough
  24. 24. ideal web-wide identity system
  25. 25. ●decentralised●simple●cross-browserideal web-wide identity system
  26. 26. ●decentralised●simple●cross-browserideal web-wide identity system
  27. 27. ●decentralised●simple●cross-browserideal web-wide identity system
  28. 28. ●decentralised●simple●cross-browser
  29. 29. how does it work?
  30. 30. fmarier@gmail.com
  31. 31. getting a proof of email ownership
  32. 32. authenticate?
  33. 33. authenticate?public key
  34. 34. authenticate?public keysigned public key
  35. 35. you have a signed statement from yourprovider that you own your email address
  36. 36. logging into a 3rd party site
  37. 37. Valid for: 2 minuteswikipedia.orgassertion
  38. 38. Valid for: 2 minuteswikipedia.orgcheck audienceassertion
  39. 39. Valid for: 2 minuteswikipedia.orgcheck audiencecheck expiryassertion
  40. 40. Valid for: 2 minuteswikipedia.orgcheck audiencecheck expirycheck signatureassertion
  41. 41. assertionValid for: 2 minuteswikipedia.orgpublic key
  42. 42. assertionValid for: 2 minuteswikipedia.org
  43. 43. assertionsession cookie
  44. 44. demo #1:http://crossword.thetimes.co.uk/fmariertest@eyedee.me
  45. 45. Persona is already adecentralised system
  46. 46. decentralisation matters for:
  47. 47. decentralisation matters for:●choice●security●innovation
  48. 48. decentralisation matters for:●choice●security●innovation
  49. 49. decentralisation matters for:●choice●security●innovation
  50. 50. SMS with PIN codes
  51. 51. SMS with PIN codesJabber / XMPP
  52. 52. SMS with PIN codesJabber / XMPPYubikeys
  53. 53. SMS with PIN codesJabber / XMPPYubikeysLDAP accounts
  54. 54. SMS with PIN codesJabber / XMPPYubikeysLDAP accountsClient certificates
  55. 55. SMS with PIN codesJabber / XMPPYubikeysLDAP accountsClient certificatesPassword-wrapped secret key{"public-key": {"algorithm":"RS","n":"685484565272...","e":"65537"},"encrypted-private-key": {"iv": "tmg7gztUQT...","salt": "JMtGwlF5UWY","ct": "8DdOjD1IA1..."},"authentication": "...","provisioning": "..."}
  56. 56. decentralisation enablesinnovation
  57. 57. decentralisation is the answer, but its nota product adoption strategy
  58. 58. we cant wait for all domainsto adopt Persona
  59. 59. we cant wait for all domainsto adopt Personasolution: a temporarycentralised fallback
  60. 60. demo #2:http://sloblog.io/fmariertest@gmail.com
  61. 61. Persona already workswith all email domains
  62. 62. identity bridging
  63. 63. demo #3:http://www.reasonwell.com/fmariertest@yahoo.com
  64. 64. Persona supportsall modern browsers>= 8
  65. 65. Persona is decentralised,simple and cross-browser
  66. 66. its simple for users, but is it alsosimple for developers?
  67. 67. <script src=”https://login.persona.org/include.js”></script></body></html>
  68. 68. navigator.id.watch({loggedInEmail: “francois@mozilla.com”,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  69. 69. navigator.id.watch({loggedInUser: “francois@mozilla.com”,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  70. 70. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  71. 71. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {// do something});},onlogout: function () {window.location = /logout;}});
  72. 72. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /;});},onlogout: function () {window.location = /logout;}});
  73. 73. navigator.id.request()
  74. 74. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /;});},onlogout: function () {window.location = /logout;}});
  75. 75. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /home;});},onlogout: function () {window.location = /logout;}});
  76. 76. $ curl -d "assertion=<ASSERTION>&audience=http://123done.org"https://verifier.login.persona.org/verify
  77. 77. $ curl -d "assertion=<ASSERTION>&audience=http://123done.org"https://verifier.login.persona.org/verify
  78. 78. {status: “okay”,audience: “http://123done.org”,expires: 1344849682560,email: “francois@mozilla.com”,issuer: “login.persona.org”}
  79. 79. {status: “failed”,reason: “assertion has expired”}
  80. 80. navigator.id.logout()
  81. 81. navigator.id.watch({loggedInUser: null,onlogin: function (assertion) {$.post(/login,{assertion: assertion},function (data) {window.location = /home;});},onlogout: function () {window.location = /logout;}});
  82. 82. 1. load javascript library
  83. 83. 1. load javascript library2. setup login & logout callbacks
  84. 84. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  85. 85. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  86. 86. you can add support forPersona in four easy steps
  87. 87. one simple request
  88. 88. building a new site:default to Persona
  89. 89. working on an existing site:add support for Persona
  90. 90. we needyour helpto eliminatesite-specificpasswords
  91. 91. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  92. 92. identity provider APIhttps://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}
  93. 93. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  94. 94. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  95. 95. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  96. 96. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  97. 97. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  98. 98. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  99. 99. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  100. 100. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  101. 101. © 2013 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/Photo credits:
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×