• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The Web beyond "usernames & passwords" (OSDC12)
 

The Web beyond "usernames & passwords" (OSDC12)

on

  • 506 views

Identity systems on the Web are a bit of a mess. Surely in 2012, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central ...

Identity systems on the Web are a bit of a mess. Surely in 2012, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority with a privacy policy that can change at a whim.

It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult. It's a lot to ask of the millions of part-time developers out there that are building sites out of some quick HTML, a MySQL database and some PHP Code samples.

This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.

Statistics

Views

Total Views
506
Views on SlideShare
505
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The Web beyond "usernames & passwords" (OSDC12) The Web beyond "usernames & passwords" (OSDC12) Presentation Transcript

    • The Web beyond “Usernames & Passwords”François Marier – @fmarier
    • XUsername:francoisPassword:**************** Sign in
    • security
    • bcrypt
    • bcryptper-user salt
    • bcryptper-user saltsite secret
    • bcryptper-user saltsite secretpassword & lockout policies
    • bcryptper-user saltsite secretpassword & lockout policiessecure recovery
    • bcrypt 0 1 2 2per-user salt o rdsite secret s s w s p a & lockoutne li policiespassword id e g usecure recovery
    • conversion rate
    • # hits signup
    • # hits signup signup_complete
    • # hits lost cust- omers signup signup_complete
    • existing solutions
    • client certificates
    • centralized authorities
    • so... storing passwords is hard
    • so... storing passwords is hard no suitable alternatives
    • decentralized
    • decentralized privacy-sensitive
    • decentralized privacy-sensitive simple
    • decentralized privacy-sensitive simple open source
    • in your browser
    • how does it work?
    • francois@mozilla.com
    • getting a proof of email ownership
    • authenticate?
    • authenticate? public key
    • authenticate? public keysigned public key
    • you have a signed statement from yourprovider that you own your email address
    • logging into a 3rd party site
    • assertion wikipedia.orgValid for: 2 minutes
    • assertion wikipedia.orgValid for: 2 minutescheck audience
    • assertion wikipedia.orgValid for: 2 minutescheck audiencecheck expiry
    • assertion wikipedia.orgValid for: 2 minutescheck audiencecheck expirycheck signature
    • assertion public key wikipedia.org Valid for: 2 minutes
    • assertion wikipedia.org Valid for: 2 minutes
    • assertionsession cookie
    • achievingthat vision
    • email providersbrowser vendors
    • email providers
    • fmarier@gmail.com
    • fmarier@gmail.com
    • support for all email providers
    • browser vendors
    • navigator.id.*
    • js
    • support for allmodern browsers >= 8
    • support for allmodern browsers >= 8
    • using it on your site
    • <script src=”https://login.persona.org/include.js”></script></body></html>
    • navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
    • navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
    • navigator.id.request()
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
    • $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
    • $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
    • { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
    • { status: “failed”, reason: “assertion has expired”}
    • navigator.id.logout()
    • navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
    • 1. load javascript library
    • 1. load javascript library2. setup login & logout callbacks
    • 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
    • 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
    • play with Persona on your sitetell us about your experience email one site asking for it
    • To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
    • Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ © 2012 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
    • Whos using Persona?