0
Passwords suck               but centralized proprietary               services are not the answerFrançois Marier – @fmarier
member number      4061
501c3
mission keeping the webopen & innovative
principles free software    privacyusers in control
threat: passwords
threat: passwordspassword alternatives
why?
passwordsare hard toremember
re-use
not just anothertechnical problem
wanted:better login solution forfree software developers
decentralized
myid.com/u/francois
privacy®
using the web should notrequire a Facebook account
decentralized
decentralized                privacy-sensitive
decentralized                privacy-sensitive      simple
decentralized                privacy-sensitive      simple                   free software
in your browser
how does it work?
fmarier@gnu.org
<digital signatures 101>
private   public
public
My name isFrançois Marierand my email istoo long to fiton one line.
My name is          François Marier          and my email is          too long to fit          on one line.private
My name isFrançois Marierand my email istoo long to fiton one line.                  public
sign   verify
</digital signatures 101>
fmarier@gnu.org
getting a proof of email ownership
authenticate?
authenticate? public key
authenticate?   public keysigned public key
you have a signed statement from yourprovider that you own your email address
logging into a 3rd party site
assertion        mediagoblin.orgValid for:   2 minutes
assertion        mediagoblin.orgValid for:   2 minutes check audience
assertion        mediagoblin.orgValid for:   2 minutes check audience check expiry
assertion        mediagoblin.orgValid for:   2 minutes check audience check expiry check signature
assertion  public key                        mediagoblin.org               Valid for:     2 minutes
assertion                     mediagoblin.org            Valid for:     2 minutes
assertionsession cookie
Persona is federated & protects your privacy
achievingthe vision
email providersbrowser vendors
email providers
fmarier@gnu.org
fmarier@gnu.org
fallback identity provider
persona.org account
support for all email providers
browser vendors
navigator.id.*
js
support for allmodern browsers       >= 8
support for allmodern browsers       >= 8
support for free browsers too
email providersbrowser vendors
using it on your site
<script src=”https://login.persona.org/include.js”></script></body></html>
navigator.id.watch({    loggedInEmail: “francois@mozilla.com”,    onlogin: function (assertion) {        $.post(/login,   ...
navigator.id.watch({    loggedInUser: “francois@mozilla.com”,    onlogin: function (assertion) {        $.post(/login,    ...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.request()
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
def verify_assertion(assertion):  page = requests.post(    https://verifier.login.persona.org/verify,    Data={ "assertion...
def verify_assertion(assertion):  page = requests.post(    https://verifier.login.persona.org/verify,    Data={ "assertion...
{    status: “okay”,    audience: “http://123done.org”,    expires: 1344849682560,    email: “francois@mozilla.com”,    is...
{    status: “failed”,    reason: “assertion has expired”}
navigator.id.logout()
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
1. load javascript library
1. load javascript library2. setup login & logout callbacks
1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
you can add Persona toyour site in one afternoon
wanna help us     solve thepassword problem?
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Perso...
Whos using Persona?
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
Photo credits:Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/Top 500 passwords: http://xato.net/pass...
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
Upcoming SlideShare
Loading in...5
×

Passwords suck, but centralized proprietary services are not the answer

666

Published on

Passwords are a big problem online and a lot of websites have turned to centralized services to handle logins for them. It's a disturbing trend from a privacy/surveillance point of view, but from a software freedom point of view, it's also turning these proprietary services into core dependencies.

That's why Mozilla is building Persona, a new federated and cross-browser system which makes identity a standard part of the browser. It's simple, privacy-sensitive and entirely free software.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
666
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Passwords suck, but centralized proprietary services are not the answer"

  1. 1. Passwords suck but centralized proprietary services are not the answerFrançois Marier – @fmarier
  2. 2. member number 4061
  3. 3. 501c3
  4. 4. mission keeping the webopen & innovative
  5. 5. principles free software privacyusers in control
  6. 6. threat: passwords
  7. 7. threat: passwordspassword alternatives
  8. 8. why?
  9. 9. passwordsare hard toremember
  10. 10. re-use
  11. 11. not just anothertechnical problem
  12. 12. wanted:better login solution forfree software developers
  13. 13. decentralized
  14. 14. myid.com/u/francois
  15. 15. privacy®
  16. 16. using the web should notrequire a Facebook account
  17. 17. decentralized
  18. 18. decentralized privacy-sensitive
  19. 19. decentralized privacy-sensitive simple
  20. 20. decentralized privacy-sensitive simple free software
  21. 21. in your browser
  22. 22. how does it work?
  23. 23. fmarier@gnu.org
  24. 24. <digital signatures 101>
  25. 25. private public
  26. 26. public
  27. 27. My name isFrançois Marierand my email istoo long to fiton one line.
  28. 28. My name is François Marier and my email is too long to fit on one line.private
  29. 29. My name isFrançois Marierand my email istoo long to fiton one line. public
  30. 30. sign verify
  31. 31. </digital signatures 101>
  32. 32. fmarier@gnu.org
  33. 33. getting a proof of email ownership
  34. 34. authenticate?
  35. 35. authenticate? public key
  36. 36. authenticate? public keysigned public key
  37. 37. you have a signed statement from yourprovider that you own your email address
  38. 38. logging into a 3rd party site
  39. 39. assertion mediagoblin.orgValid for: 2 minutes
  40. 40. assertion mediagoblin.orgValid for: 2 minutes check audience
  41. 41. assertion mediagoblin.orgValid for: 2 minutes check audience check expiry
  42. 42. assertion mediagoblin.orgValid for: 2 minutes check audience check expiry check signature
  43. 43. assertion public key mediagoblin.org Valid for: 2 minutes
  44. 44. assertion mediagoblin.org Valid for: 2 minutes
  45. 45. assertionsession cookie
  46. 46. Persona is federated & protects your privacy
  47. 47. achievingthe vision
  48. 48. email providersbrowser vendors
  49. 49. email providers
  50. 50. fmarier@gnu.org
  51. 51. fmarier@gnu.org
  52. 52. fallback identity provider
  53. 53. persona.org account
  54. 54. support for all email providers
  55. 55. browser vendors
  56. 56. navigator.id.*
  57. 57. js
  58. 58. support for allmodern browsers >= 8
  59. 59. support for allmodern browsers >= 8
  60. 60. support for free browsers too
  61. 61. email providersbrowser vendors
  62. 62. using it on your site
  63. 63. <script src=”https://login.persona.org/include.js”></script></body></html>
  64. 64. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  65. 65. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  66. 66. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  67. 67. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  68. 68. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  69. 69. navigator.id.request()
  70. 70. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  71. 71. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  72. 72. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  73. 73. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  74. 74. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
  75. 75. { status: “failed”, reason: “assertion has expired”}
  76. 76. navigator.id.logout()
  77. 77. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  78. 78. 1. load javascript library
  79. 79. 1. load javascript library2. setup login & logout callbacks
  80. 80. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  81. 81. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  82. 82. you can add Persona toyour site in one afternoon
  83. 83. wanna help us solve thepassword problem?
  84. 84. add Persona toyour project/sitetell us about your experience email one site asking for it
  85. 85. add Persona toyour project/sitetell us about your experience email one site asking for it
  86. 86. add Persona toyour project/sitetell us about your experience email one site asking for it
  87. 87. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  88. 88. Whos using Persona?
  89. 89. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  90. 90. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  91. 91. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  92. 92. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  93. 93. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  94. 94. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  95. 95. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  96. 96. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  97. 97. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  98. 98. Photo credits:Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/US passport: https://secure.flickr.com/photos/damian613/5077609023/ © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×