Your SlideShare is downloading. ×
  • Like
Persona: in your browsers, killing your passwords
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Persona: in your browsers, killing your passwords

  • 509 views
Published

Introduction to Persona, a new cross-browser login system for the web that's built entirely in Javascript. Powered by node.js on the backend, it pushes most of the crypto to the browser in order to …

Introduction to Persona, a new cross-browser login system for the web that's built entirely in Javascript. Powered by node.js on the backend, it pushes most of the crypto to the browser in order to create a secure and privacy-sensitive experience.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
509
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Persona: in your browsers, killing your passwordsFrançois Marier – @fmarier
  • 2. XUsername:francoisPassword:**************** Sign in
  • 3. security
  • 4. bcrypt
  • 5. bcryptper-user salt
  • 6. bcryptper-user saltsite secret
  • 7. bcryptper-user saltsite secretpassword & lockout policies
  • 8. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  • 9. bcrypt 0 1 2 2per-user salt o rdsite secret s s w s p a & lockoutne li policiespassword id e g usecure recovery
  • 10. conversion rate
  • 11. # hits signup
  • 12. # hits signup signup_complete
  • 13. # hits lost cust- omers signup signup_complete
  • 14. existing solutions
  • 15. client certificates
  • 16. centralized authorities
  • 17. so... storing passwords is hard
  • 18. so... storing passwords is hard no suitable alternatives
  • 19. decentralized
  • 20. decentralized privacy-sensitive
  • 21. decentralized privacy-sensitive simple
  • 22. decentralized privacy-sensitive simple open source
  • 23. in your browser
  • 24. how does it work?
  • 25. francois@mozilla.com
  • 26. getting a proof of email ownership
  • 27. authenticate?
  • 28. authenticate? public key
  • 29. authenticate? public keysigned public key
  • 30. you have a signed statement from yourprovider that you own your email address
  • 31. logging into a 3rd party site
  • 32. assertion wikipedia.orgValid for: 2 minutes
  • 33. assertion wikipedia.orgValid for: 2 minutescheck audience
  • 34. assertion wikipedia.orgValid for: 2 minutescheck audiencecheck expiry
  • 35. assertion wikipedia.orgValid for: 2 minutescheck audiencecheck expirycheck signature
  • 36. assertion public key wikipedia.org Valid for: 2 minutes
  • 37. assertion wikipedia.org Valid for: 2 minutes
  • 38. assertionsession cookie
  • 39. achievingthat vision
  • 40. email providersbrowser vendors
  • 41. email providers
  • 42. fmarier@gmail.com
  • 43. fmarier@gmail.com
  • 44. fallback identity provider: login.persona.org
  • 45. persona.org account
  • 46. connect & express uglify bcrypt ejs underscorecomputer-cluster nodemailer jwcryto client-sessions convict winston vows
  • 47. “A Node.JS Holiday Season”https://hacks.mozilla.org/
  • 48. proxy identity provider:
  • 49. support for all email providers
  • 50. browser vendors
  • 51. navigator.id.*
  • 52. js
  • 53. support for allmodern browsers >= 8
  • 54. LIFD
  • 55. LocallyIsolatedFeatureDomain
  • 56. wanted: trusted coderunning in the browser
  • 57. browserid.orglogin.persona.org
  • 58. browserid.orglogin.persona.org
  • 59. localStoragelocalStorage.setItem("key", serializedKey);var serializedKey = localStorage.getItem("key");
  • 60. storage tied tologin.persona.org
  • 61. window.postMessage()
  • 62. jschannel localStorage https://login.persona.org
  • 63. jschannel localStorage https://login.persona.orgquestions?
  • 64. live demo
  • 65. using it on your site
  • 66. <script src=”https://login.persona.org/include.js”></script></body></html>
  • 67. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • 68. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • 69. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • 70. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  • 71. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  • 72. navigator.id.request()
  • 73. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  • 74. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  • 75. var request = https.request({ host: verifier.login.persona.org, path: /verify, method: POST, headers: { content-type: application/x-www-form-urlencoded, content-length: body.length }}, onVerifyResponse);
  • 76. var request = https.request({ host: verifier.login.persona.org, path: /verify, method: POST, headers: { content-type: application/x-www-form-urlencoded, content-length: body.length }}, onVerifyResponse);var body = qs.stringify({ assertion: assertion, audience: http://123done.org});request.write(body);request.end();
  • 77. var request = https.request({ host: verifier.login.persona.org, path: /verify, method: POST, headers: { content-type: application/x-www-form-urlencoded, content-length: body.length }}, onVerifyResponse);var body = qs.stringify({ assertion: assertion, audience: http://123done.org});request.write(body);request.end();
  • 78. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
  • 79. { status: “failed”, reason: “assertion has expired”}
  • 80. navigator.id.logout()
  • 81. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  • 82. 1. load javascript library
  • 83. 1. load javascript library2. setup login & logout callbacks
  • 84. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  • 85. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  • 86. framework / CMS plugins Express Jungles Mootools Olives Passport
  • 87. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://hacks.mozilla.org/category/a-node-js-holiday-season/@fmarier http://fmarier.org
  • 88. Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Beach flower: https://secure.flickr.com/photos/vwingate/4696429215/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ © 2012 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.