Passwords suck, but centralized proprietary services are not the answer

780 views
736 views

Published on

Passwords are a big problem online and a lot of websites have turned to centralized services to handle logins for them. It's a disturbing trend from a privacy/surveillance point of view, but from a software freedom point of view, it's also turning these proprietary services into core dependencies.

That's why Mozilla is building Persona, a new federated and cross-browser system which makes identity a standard part of the browser. It's simple, privacy-sensitive and entirely free software.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
780
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Passwords suck, but centralized proprietary services are not the answer

  1. 1. Passwords suck but centralized proprietary services are not the answerFrançois Marier – @fmarier
  2. 2. member number 4061
  3. 3. 501c3
  4. 4. mission keeping the webopen & innovative
  5. 5. principles free software privacyusers in control
  6. 6. threat: passwords
  7. 7. threat: passwordspassword alternatives
  8. 8. why?
  9. 9. passwordsare hard toremember
  10. 10. re-use
  11. 11. not just anothertechnical problem
  12. 12. wanted:better login solution forfree software developers
  13. 13. decentralized
  14. 14. myid.com/u/francois
  15. 15. privacy®
  16. 16. using the web should notrequire a Facebook account
  17. 17. decentralized
  18. 18. decentralized privacy-sensitive
  19. 19. decentralized privacy-sensitive simple
  20. 20. decentralized privacy-sensitive simple free software
  21. 21. in your browser
  22. 22. how does it work?
  23. 23. fmarier@gnu.org
  24. 24. <digital signatures 101>
  25. 25. private public
  26. 26. public
  27. 27. My name isFrançois Marierand my email istoo long to fiton one line.
  28. 28. My name is François Marier and my email is too long to fit on one line.private
  29. 29. My name isFrançois Marierand my email istoo long to fiton one line. public
  30. 30. sign verify
  31. 31. </digital signatures 101>
  32. 32. fmarier@gnu.org
  33. 33. getting a proof of email ownership
  34. 34. authenticate?
  35. 35. authenticate? public key
  36. 36. authenticate? public keysigned public key
  37. 37. you have a signed statement from yourprovider that you own your email address
  38. 38. logging into a 3rd party site
  39. 39. assertion mediagoblin.orgValid for: 2 minutes
  40. 40. assertion mediagoblin.orgValid for: 2 minutes check audience
  41. 41. assertion mediagoblin.orgValid for: 2 minutes check audience check expiry
  42. 42. assertion mediagoblin.orgValid for: 2 minutes check audience check expiry check signature
  43. 43. assertion public key mediagoblin.org Valid for: 2 minutes
  44. 44. assertion mediagoblin.org Valid for: 2 minutes
  45. 45. assertionsession cookie
  46. 46. Persona is federated & protects your privacy
  47. 47. achievingthe vision
  48. 48. email providersbrowser vendors
  49. 49. email providers
  50. 50. fmarier@gnu.org
  51. 51. fmarier@gnu.org
  52. 52. fallback identity provider
  53. 53. persona.org account
  54. 54. support for all email providers
  55. 55. browser vendors
  56. 56. navigator.id.*
  57. 57. js
  58. 58. support for allmodern browsers >= 8
  59. 59. support for allmodern browsers >= 8
  60. 60. support for free browsers too
  61. 61. email providersbrowser vendors
  62. 62. using it on your site
  63. 63. <script src=”https://login.persona.org/include.js”></script></body></html>
  64. 64. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  65. 65. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  66. 66. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  67. 67. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  68. 68. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  69. 69. navigator.id.request()
  70. 70. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  71. 71. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  72. 72. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  73. 73. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  74. 74. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
  75. 75. { status: “failed”, reason: “assertion has expired”}
  76. 76. navigator.id.logout()
  77. 77. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  78. 78. 1. load javascript library
  79. 79. 1. load javascript library2. setup login & logout callbacks
  80. 80. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  81. 81. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  82. 82. you can add Persona toyour site in one afternoon
  83. 83. wanna help us solve thepassword problem?
  84. 84. add Persona toyour project/sitetell us about your experience email one site asking for it
  85. 85. add Persona toyour project/sitetell us about your experience email one site asking for it
  86. 86. add Persona toyour project/sitetell us about your experience email one site asking for it
  87. 87. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  88. 88. Whos using Persona?
  89. 89. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  90. 90. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  91. 91. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  92. 92. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  93. 93. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  94. 94. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  95. 95. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  96. 96. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  97. 97. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  98. 98. Photo credits:Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/US passport: https://secure.flickr.com/photos/damian613/5077609023/ © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.

×