Building Persona               federated & privacy-sensitive               identity for the webFrançois Marier – @fmarier
solving thepassword problem   on the web
XUsername:francoisPassword:****************                   Sign in
security
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcrypt      0 1 3    2per-user salt               o  rdsite secret         s s w         s   p  a & lockoutne             ...
conversion   rate
# hits         signup
# hits         signup signup_complete
# hits                    lost                    cust-                    omers         signup signup_complete
existing solutions
client certificates
centralized authorities
so...        storing passwords is hard
so...        storing passwords is hard        no suitable alternatives
decentralized
decentralized                privacy-sensitive
decentralized                privacy-sensitive      simple
decentralized                privacy-sensitive      simple                   open source
in your browser
how does it work?
francois@mozilla.com
getting a proof of email ownership
authenticate?
authenticate? public key
authenticate?   public keysigned public key
you have a signed statement from yourprovider that you own your email address
logging into a 3rd party site
assertion         linux.conf.auValid for:   2 minutes
assertion         linux.conf.auValid for:   2 minutescheck audience
assertion         linux.conf.auValid for:   2 minutescheck audiencecheck expiry
assertion         linux.conf.auValid for:   2 minutescheck audiencecheck expirycheck signature
assertion  public key                            linux.conf.au               Valid for:         2 minutes
assertion                         linux.conf.au            Valid for:         2 minutes
assertionsession cookie
achievingthat vision
email providersbrowser vendors
email providers
fmarier@gmail.com
fmarier@gmail.com
fallback identity provider
persona.org account
support for all email providers
browser vendors
navigator.id.*
js
support for allmodern browsers       >= 8
support for allmodern browsers       >= 8
LIFD
LocallyIsolatedFeatureDomain
wanted: trusted coderunning in the browser
login.persona.org
localStoragelocalStorage.setItem("key", serializedKey);var serializedKey = localStorage.getItem("key");
storage tied tologin.persona.org
window.postMessage()
postMessage                 localStorage              https://login.persona.org
postMessage                 localStorage              https://login.persona.orgquestions?
live demo
using it on your site
<script src=”https://login.persona.org/include.js”></script></body></html>
navigator.id.watch({    loggedInEmail: “francois@mozilla.com”,    onlogin: function (assertion) {        $.post(/login,   ...
navigator.id.watch({    loggedInUser: “francois@mozilla.com”,    onlogin: function (assertion) {        $.post(/login,    ...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.request()
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
def verify_assertion(assertion):  page = requests.post(    https://verifier.login.persona.org/verify,    Data={ "assertion...
def verify_assertion(assertion):  page = requests.post(    https://verifier.login.persona.org/verify,    Data={ "assertion...
{    status: “okay”,    audience: “http://123done.org”,    expires: 1344849682560,    email: “francois@mozilla.com”,    is...
{    status: “failed”,    reason: “assertion has expired”}
navigator.id.logout()
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
1. load javascript library
1. load javascript library2. setup login & logout callbacks
1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
function do_login() {<?php                                                                           navigator.id.request(...
wanna help us     solve thepassword problem?
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
grab some stickers!
To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Perso...
Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/p...
Whos using Persona?
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)
Upcoming SlideShare
Loading in …5
×

Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)

1,807 views

Published on

This talk explores the challenges of the existing Web identity solutions and introduce the choices that were made during the development of Persona (formerly BrowserID), a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Good, Thank you!
    gab
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
1,807
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
7
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Building Persona: federated and privacy-sensitive identity for the Web (LCA 2013)

  1. 1. Building Persona federated & privacy-sensitive identity for the webFrançois Marier – @fmarier
  2. 2. solving thepassword problem on the web
  3. 3. XUsername:francoisPassword:**************** Sign in
  4. 4. security
  5. 5. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  6. 6. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  7. 7. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  8. 8. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  9. 9. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  10. 10. bcrypt 0 1 3 2per-user salt o rdsite secret s s w s p a & lockoutne li policiespassword id e g usecure recovery
  11. 11. conversion rate
  12. 12. # hits signup
  13. 13. # hits signup signup_complete
  14. 14. # hits lost cust- omers signup signup_complete
  15. 15. existing solutions
  16. 16. client certificates
  17. 17. centralized authorities
  18. 18. so... storing passwords is hard
  19. 19. so... storing passwords is hard no suitable alternatives
  20. 20. decentralized
  21. 21. decentralized privacy-sensitive
  22. 22. decentralized privacy-sensitive simple
  23. 23. decentralized privacy-sensitive simple open source
  24. 24. in your browser
  25. 25. how does it work?
  26. 26. francois@mozilla.com
  27. 27. getting a proof of email ownership
  28. 28. authenticate?
  29. 29. authenticate? public key
  30. 30. authenticate? public keysigned public key
  31. 31. you have a signed statement from yourprovider that you own your email address
  32. 32. logging into a 3rd party site
  33. 33. assertion linux.conf.auValid for: 2 minutes
  34. 34. assertion linux.conf.auValid for: 2 minutescheck audience
  35. 35. assertion linux.conf.auValid for: 2 minutescheck audiencecheck expiry
  36. 36. assertion linux.conf.auValid for: 2 minutescheck audiencecheck expirycheck signature
  37. 37. assertion public key linux.conf.au Valid for: 2 minutes
  38. 38. assertion linux.conf.au Valid for: 2 minutes
  39. 39. assertionsession cookie
  40. 40. achievingthat vision
  41. 41. email providersbrowser vendors
  42. 42. email providers
  43. 43. fmarier@gmail.com
  44. 44. fmarier@gmail.com
  45. 45. fallback identity provider
  46. 46. persona.org account
  47. 47. support for all email providers
  48. 48. browser vendors
  49. 49. navigator.id.*
  50. 50. js
  51. 51. support for allmodern browsers >= 8
  52. 52. support for allmodern browsers >= 8
  53. 53. LIFD
  54. 54. LocallyIsolatedFeatureDomain
  55. 55. wanted: trusted coderunning in the browser
  56. 56. login.persona.org
  57. 57. localStoragelocalStorage.setItem("key", serializedKey);var serializedKey = localStorage.getItem("key");
  58. 58. storage tied tologin.persona.org
  59. 59. window.postMessage()
  60. 60. postMessage localStorage https://login.persona.org
  61. 61. postMessage localStorage https://login.persona.orgquestions?
  62. 62. live demo
  63. 63. using it on your site
  64. 64. <script src=”https://login.persona.org/include.js”></script></body></html>
  65. 65. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  66. 66. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  67. 67. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  68. 68. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  69. 69. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  70. 70. navigator.id.request()
  71. 71. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  72. 72. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  73. 73. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  74. 74. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  75. 75. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
  76. 76. { status: “failed”, reason: “assertion has expired”}
  77. 77. navigator.id.logout()
  78. 78. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  79. 79. 1. load javascript library
  80. 80. 1. load javascript library2. setup login & logout callbacks
  81. 81. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  82. 82. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  83. 83. function do_login() {<?php navigator.id.request(); }if (!empty($_POST)) { function do_logout() { $result = verify_assertion($_POST[assertion]); navigator.id.logout(); if ($result->status === okay) { } print_header(); echo "<p>Logged in as: " . $result->email . "</p>"; navigator.id.watch({ echo <p><a href="javascript:do_logout()">Logout</a></p>; loggedInUser: $email, print_backLink(); onlogin: function (assertion) { print_footer($result->email); alert("onlogin: $email"); } else { var assertion_field = print_header(); document.getElementById("assertion-field"); echo "<p>Error: " . $result->reason . "</p>"; assertion_field.value = assertion; print_backLink(); var login_form = document.getElementById("login-form"); print_footer(); login_form.submit(); } },} elseif (!empty($_GET[logout])) { onlogout: function () { print_header(); alert("onlogout: $email"); echo "<p>You have logged out.</p>"; window.location = ?logout=1; print_backLink(); } print_footer(); });} else { </script></body></html> print_header(); EOF; echo "<p><a href="javascript:do_login()">Login</a></p>"; } print_footer();} function verify_assertion($assertion) { $audience = ($_SERVER[HTTPS] === on ? https:// : http://)function print_header() { . $_SERVER[SERVER_NAME] . : . $_SERVER[SERVER_PORT]; echo <<<EOF $postdata = assertion= . urlencode($assertion) . &audience=<!DOCTYPE html><html><head><meta charset="utf-8"></head> . urlencode($audience);<body><form id="login-form" method="POST"> $ch = curl_init();<input id="assertion-field" type="hidden" name="assertion" value=""> curl_setopt($ch, CURLOPT_URL,</form> "https://verifier.login.persona.org/verify");EOF; curl_setopt($ch, CURLOPT_POST, true);} curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);function print_backLink() { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); echo "<p><a href="persona.php">Back to login page</a></p>"; curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);} $json = curl_exec($ch); curl_close($ch);function print_footer($email = null) { if ($email !== null) { $res = json_decode($json); $email = "$email"; $res->status = okay; } $res->email = francois@mozilla.com; echo <<<EOF return $res;<script src="http://127.0.0.1:10002/include.orig.js"></script> }<script> ?>
  84. 84. wanna help us solve thepassword problem?
  85. 85. add Persona toyour project/sitetell us about your experience email one site asking for it
  86. 86. add Persona toyour project/sitetell us about your experience email one site asking for it
  87. 87. add Persona toyour project/sitetell us about your experience email one site asking for it
  88. 88. grab some stickers!
  89. 89. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  90. 90. Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
  91. 91. Whos using Persona?
  92. 92. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  93. 93. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  94. 94. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  95. 95. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  96. 96. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  97. 97. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  98. 98. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  99. 99. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  100. 100. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again

×