Taking the pain out of signing users in

1,151 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,151
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Taking the pain out of signing users in

  1. 1. François Marier – @fmarier Taking the pain out of signing users in
  2. 2. passwords
  3. 3. problem #1: passwords are hard to secure
  4. 4. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  5. 5. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  6. 6. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  7. 7. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  8. 8. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  9. 9. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  10. 10. passwords are hard to secure they are a liability
  11. 11. ALTER TABLE user DROP COLUMN password;
  12. 12. problem #2: passwords are hard to remember
  13. 13. pick an easy password
  14. 14. use it everywhere
  15. 15. passwords are hard to remember they need to be reset
  16. 16. control email account control all accounts =
  17. 17. “People want a little dating before marriage.” Eric Vishria – Rockmelt
  18. 18. decentralised
  19. 19. myid.com/u/francois
  20. 20. existing login systems are not good enough
  21. 21. ideal web-wide identity system
  22. 22. ● decentralised simple cross-browser ideal web-wide identity system
  23. 23. ● decentralised ● simple cross-browser ideal web-wide identity system
  24. 24. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  25. 25. what if it were a standard part of the web browser?
  26. 26. how does it work?
  27. 27. fmarier@gmail.com
  28. 28. demo #1: http://www.voo.st/ fmariertest@eyedee.me
  29. 29. Persona is already a decentralised system
  30. 30. decentralisation is the answer, but it's not a product adoption strategy
  31. 31. we can't wait for all domains to adopt Persona
  32. 32. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
  33. 33. demo #2: http://sloblog.io/ fmariertest@aol.com
  34. 34. Persona already works with all email domains
  35. 35. identity bridging
  36. 36. demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com
  37. 37. >= 8
  38. 38. Persona is decentralized, simple and cross-browser
  39. 39. it's simple for users, but is it also simple for developers?
  40. 40. <script src=”https://login.persona.org/include.js”> </script> </body></html>
  41. 41. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  42. 42. navigator.id.watch({ loggedInUser: "francois@mozilla.com" onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  43. 43. navigator.id.watch({ loggedInUser: null onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  44. 44. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); } onlogout: function () { window.location = '/logout'; } });
  45. 45. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  46. 46. navigator.id.request()
  47. 47. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  48. 48. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  49. 49. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
  50. 50. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
  51. 51. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
  52. 52. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
  53. 53. { status: “failed”, reason: “assertion has expired” }
  54. 54. navigator.id.logout()
  55. 55. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  56. 56. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  57. 57. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  58. 58. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  59. 59. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  60. 60. you can add support for Persona in four easy steps
  61. 61. one simple request
  62. 62. building a new site: default to Persona
  63. 63. working on an existing site/app: add support for Persona
  64. 64. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier
  65. 65. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits:

×