Mozilla Persona for your domain

561 views
427 views

Published on

Passwords are a big problem on the Web. Users pick bad ones and re-use them all over the place, developers can’t seem to be able to secure them. We need something better, but almost all of the new login systems for the Web rely on centralised gate keepers. We can do better than this.

Persona is a new way of logging users in. It’s simple, decentralised and allows users to choose who can vouch for them. It’s also designed to provide meaningful privacy to all users regardless of their level of expertise.

This talk will highlight the main features of Persona and introduce the crypto behind its underlying protocol, BrowserID. It will also provide an overview of what organisations can do to support Persona natively on their domains.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
561
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mozilla Persona for your domain

  1. 1. François Marier – @fmarier Mozilla Persona for your domain
  2. 2. solving the password problem on the web
  3. 3. problem #1: passwords are hard to secure
  4. 4. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  5. 5. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  6. 6. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  7. 7. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  8. 8. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  9. 9. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  10. 10. passwords are hard to secure they are a liability
  11. 11. ALTER TABLE user DROP COLUMN password;
  12. 12. problem #2: passwords are hard to remember
  13. 13. users have two strategies
  14. 14. 1. pick an easy password
  15. 15. 2. reuse your password
  16. 16. negative externality: sites that don't care about security impose a cost on more important sites
  17. 17. passwords are hard to remember they need to be reset
  18. 18. control email account control all accounts =
  19. 19. existing login solutions
  20. 20. client certificates
  21. 21. SAML
  22. 22. existing login systems are not good enough
  23. 23. ● decentralised ● simple ● cross-browser
  24. 24. how does it work?
  25. 25. fmarier@gmail.com
  26. 26. getting a proof of email ownership
  27. 27. authenticate?
  28. 28. authenticate? public key
  29. 29. authenticate? public key signed public key
  30. 30. you have a signed statement from your provider that you own your email address
  31. 31. logging into a 3rd party site
  32. 32. Valid for: 2 minutes wikipedia.org assertion
  33. 33. Valid for: 2 minutes wikipedia.org check audience assertion
  34. 34. Valid for: 2 minutes wikipedia.org check audience check expiry assertion
  35. 35. Valid for: 2 minutes wikipedia.org check audience check expiry check signature assertion
  36. 36. assertion Valid for: 2 minutes wikipedia.org public key
  37. 37. assertion Valid for: 2 minutes wikipedia.org
  38. 38. assertion session cookie
  39. 39. demo #1: http://crossword.thetimes.co.uk/ fmariertest@eyedee.me
  40. 40. Persona is already a decentralised system
  41. 41. SMS with PIN codes
  42. 42. SMS with PIN codes Jabber / XMPP
  43. 43. SMS with PIN codes Jabber / XMPP Yubikeys
  44. 44. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts
  45. 45. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates
  46. 46. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
  47. 47. decentralisation is the answer, but it's not a product adoption strategy
  48. 48. we can't wait for all domains to adopt Persona
  49. 49. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
  50. 50. demo #2: http://sloblog.io/ fmariertest@gmail.com
  51. 51. Persona already works with all email domains
  52. 52. Persona supports all modern browsers >= 8
  53. 53. Persona is decentralised, simple and cross-browser
  54. 54. how can I add Persona support to my domain?
  55. 55. support document https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  56. 56. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  57. 57. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  58. 58. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  59. 59. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  60. 60. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  61. 61. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  62. 62. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  63. 63. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  64. 64. as an organization, you control: ● details of the authentication process
  65. 65. as an organization, you control: ● details of the authentication process ● the duration of certificates
  66. 66. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Quick_Setup https://developer.mozilla.org/Persona/Implementing_a_Persona_IdP https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  67. 67. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Door man: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ US passport: https://secure.flickr.com/photos/damian613/5077609023/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits:

×