The Web beyond "usernames & passwords" (OSDC12)

634 views
531 views

Published on

Identity systems on the Web are a bit of a mess. Surely in 2012, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority with a privacy policy that can change at a whim.

It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult. It's a lot to ask of the millions of part-time developers out there that are building sites out of some quick HTML, a MySQL database and some PHP Code samples.

This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
634
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Web beyond "usernames & passwords" (OSDC12)

  1. 1. The Web beyond “Usernames & Passwords”François Marier – @fmarier
  2. 2. XUsername:francoisPassword:**************** Sign in
  3. 3. security
  4. 4. bcrypt
  5. 5. bcryptper-user salt
  6. 6. bcryptper-user saltsite secret
  7. 7. bcryptper-user saltsite secretpassword & lockout policies
  8. 8. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  9. 9. bcrypt 0 1 2 2per-user salt o rdsite secret s s w s p a & lockoutne li policiespassword id e g usecure recovery
  10. 10. conversion rate
  11. 11. # hits signup
  12. 12. # hits signup signup_complete
  13. 13. # hits lost cust- omers signup signup_complete
  14. 14. existing solutions
  15. 15. client certificates
  16. 16. centralized authorities
  17. 17. so... storing passwords is hard
  18. 18. so... storing passwords is hard no suitable alternatives
  19. 19. decentralized
  20. 20. decentralized privacy-sensitive
  21. 21. decentralized privacy-sensitive simple
  22. 22. decentralized privacy-sensitive simple open source
  23. 23. in your browser
  24. 24. how does it work?
  25. 25. francois@mozilla.com
  26. 26. getting a proof of email ownership
  27. 27. authenticate?
  28. 28. authenticate? public key
  29. 29. authenticate? public keysigned public key
  30. 30. you have a signed statement from yourprovider that you own your email address
  31. 31. logging into a 3rd party site
  32. 32. assertion wikipedia.orgValid for: 2 minutes
  33. 33. assertion wikipedia.orgValid for: 2 minutescheck audience
  34. 34. assertion wikipedia.orgValid for: 2 minutescheck audiencecheck expiry
  35. 35. assertion wikipedia.orgValid for: 2 minutescheck audiencecheck expirycheck signature
  36. 36. assertion public key wikipedia.org Valid for: 2 minutes
  37. 37. assertion wikipedia.org Valid for: 2 minutes
  38. 38. assertionsession cookie
  39. 39. achievingthat vision
  40. 40. email providersbrowser vendors
  41. 41. email providers
  42. 42. fmarier@gmail.com
  43. 43. fmarier@gmail.com
  44. 44. support for all email providers
  45. 45. browser vendors
  46. 46. navigator.id.*
  47. 47. js
  48. 48. support for allmodern browsers >= 8
  49. 49. support for allmodern browsers >= 8
  50. 50. using it on your site
  51. 51. <script src=”https://login.persona.org/include.js”></script></body></html>
  52. 52. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  53. 53. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  54. 54. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  55. 55. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  56. 56. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  57. 57. navigator.id.request()
  58. 58. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  59. 59. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  60. 60. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
  61. 61. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
  62. 62. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
  63. 63. { status: “failed”, reason: “assertion has expired”}
  64. 64. navigator.id.logout()
  65. 65. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  66. 66. 1. load javascript library
  67. 67. 1. load javascript library2. setup login & logout callbacks
  68. 68. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  69. 69. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  70. 70. play with Persona on your sitetell us about your experience email one site asking for it
  71. 71. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  72. 72. Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ © 2012 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
  73. 73. Whos using Persona?

×