• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Persona: a federated and privacy-protecting login system for the whole Web
 

Persona: a federated and privacy-protecting login system for the whole Web

on

  • 230 views

 

Statistics

Views

Total Views
230
Views on SlideShare
230
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Persona: a federated and privacy-protecting login system for the whole Web Persona: a federated and privacy-protecting login system for the whole Web Presentation Transcript

    • François Marier – @fmarier Mozilla Persona a federated and privacy-protecting login system for the whole Web
    • passwords
    • problem #1: passwords are hard to secure
    • bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
    • bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
    • bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
    • bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
    • bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
    • bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
    • passwords are hard to secure they are a liability
    • ALTER TABLE user DROP COLUMN password;
    • problem #2: passwords are hard to remember
    • pick an easy password
    • pick an easy password use it everywhere
    • passwords are hard to remember they need to be reset
    • control email account control all accounts =
    • “People want a little dating before marriage.” Eric Vishria – Rockmelt
    • decentralised
    • myid.com/u/francois
    • privacy®
    • existing login systems are not good enough
    • ideal web-wide identity system
    • ● decentralised ● simple ● cross-browser ideal web-wide identity system
    • ● decentralised ● simple ● cross-browser ideal web-wide identity system
    • ● decentralised ● simple cross-browser ideal web-wide identity system
    • what if it were a standard part of the web browser?
    • how does it work?
    • fmarier@gmail.com
    • why email addresses?
    • why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
    • why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
    • why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
    • why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
    • why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
    • why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
    • fmarier@gmail.com
    • demo #1: http://www.voo.st/ fmariertest@eyedee.me
    • Persona is already a decentralised system
    • decentralisation is the answer, but it's not a product adoption strategy
    • we can't wait for all domains to adopt Persona
    • we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
    • demo #2: http://sloblog.io/ francoistest@web.de
    • Persona already works with all email domains
    • identity bridging
    • demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com
    • Persona supports all modern browsers >= 8
    • Persona is decentralised, simple and cross-browser
    • it's simple for users, but is it also simple for developers?
    • <script src=”https://login.persona.org/include.js”> </script> </body></html>
    • navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
    • navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
    • navigator.id.request()
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
    • eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE 1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE 5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE 3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM 3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA 2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9 sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
    • def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
    • def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
    • def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
    • { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
    • { status: “failed”, reason: “assertion has expired” }
    • navigator.id.logout()
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
    • 1. load javascript library
    • 1. load javascript library 2. setup login & logout callbacks
    • 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
    • 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
    • 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
    • you can add support for Persona in four easy steps
    • one simple request
    • building a new site: default to Persona
    • working on an existing site/app: add support for Persona
    • before
    • after
    • after navigator.id.request()
    • ALTER TABLE user DROP COLUMN password;
    • To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
    • identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
    • https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
    • https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
    • https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
    • https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
    • identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
    • identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
    • identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
    • identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
    • © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: