Building Persona               federated & privacy-sensitive               identity for the webFrançois Marier – @fmarier
solving thepassword problem   on the web
users: reduce number of passwords
users: reduce number of passwordsdevelopers: reduce implementation costs
XUsername:francoisPassword:****************                   Sign in
security
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcryptper-user saltsite secretpassword & lockout policiessecure recovery
bcrypt      0 1 3    2per-user salt               o  rdsite secret         s s w         s   p  a & lockoutne             ...
ALTER TABLE userDROP COLUMN password;
existing solutions
client certificates
“social” authentication
“People want a littledating before marriage.”       Eric Vishria – Rockmelt
so...        storing passwords is hard
so...        storing passwords is hard        no suitable alternatives
decentralized
decentralized                privacy-sensitive
decentralized                privacy-sensitive      simple
decentralized                privacy-sensitive      simple                   open source
in your browser
how does it work?
francois@mozilla.com
<digital signatures 101>
private   public
public
My name isFrançois Marierand my email istoo long to fiton one line.
My name is          François Marier          and my email is          too long to fit          on one line.private
My name isFrançois Marierand my email istoo long to fiton one line.                  public
sign   verify
</digital signatures 101>
francois@mozilla.com
getting a proof of email ownership
authenticate?
authenticate? public key
authenticate?   public keysigned public key
you have a signed statement from yourprovider that you own your email address
logging into a 3rd party site
assertion         linux.conf.auValid for:   2 minutes
assertion         linux.conf.auValid for:   2 minutescheck audience
assertion         linux.conf.auValid for:   2 minutescheck audiencecheck expiry
assertion         linux.conf.auValid for:   2 minutescheck audiencecheck expirycheck signature
assertion  public key                            linux.conf.au               Valid for:         2 minutes
assertion                         linux.conf.au            Valid for:         2 minutes
assertionsession cookie
achievingthat vision
email providersbrowser vendors
email providers
fmarier@gmail.com
fmarier@gmail.com
fallback identity provider
persona.org account
support for all email providers
browser vendors
navigator.id.*
js
support for allmodern browsers       >= 8
support for allmodern browsers       >= 8
live demo
using it on your site
(     no need to take notes    these slides will be online   )
<script src=”https://login.persona.org/include.js”></script></body></html>
navigator.id.watch({    loggedInEmail: “francois@mozilla.com”,    onlogin: function (assertion) {        $.post(/login,   ...
navigator.id.watch({    loggedInUser: “francois@mozilla.com”,    onlogin: function (assertion) {        $.post(/login,    ...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.request()
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
def verify_assertion(assertion):  page = requests.post(    https://verifier.login.persona.org/verify,    Data={ "assertion...
def verify_assertion(assertion):  page = requests.post(    https://verifier.login.persona.org/verify,    Data={ "assertion...
{    status: “okay”,    audience: “http://123done.org”,    expires: 1344849682560,    email: “francois@mozilla.com”,    is...
{    status: “failed”,    reason: “assertion has expired”}
navigator.id.logout()
navigator.id.watch({    loggedInUser: null,    onlogin: function (assertion) {        $.post(/login,            {assertion...
1. load javascript library
1. load javascript library2. setup login & logout callbacks
1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
function do_login() {<?php                                                                           navigator.id.request(...
wanna help us     solve thepassword problem?
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
add Persona toyour project/sitetell us about your       experience   email one site     asking for it
To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Perso...
Whos using Persona?
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider APIhttps://eyedee.me/.well-known/browserid:{    "public-key": {       "algorithm":"RS",       "n":"8606....
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication pa...
Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/p...
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)
Upcoming SlideShare
Loading in …5
×

Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)

442 views

Published on

This talk explores the challenges of the existing Web identity solutions and introduce the choices that were made during the development of Persona (formerly BrowserID), a new Open Source federated identity solution from Mozilla, designed and built to respect user privacy.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
442
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Building Persona: federated and privacy-sensitive identity for the Web (Open Source Days 2013)

  1. 1. Building Persona federated & privacy-sensitive identity for the webFrançois Marier – @fmarier
  2. 2. solving thepassword problem on the web
  3. 3. users: reduce number of passwords
  4. 4. users: reduce number of passwordsdevelopers: reduce implementation costs
  5. 5. XUsername:francoisPassword:**************** Sign in
  6. 6. security
  7. 7. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  8. 8. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  9. 9. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  10. 10. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  11. 11. bcryptper-user saltsite secretpassword & lockout policiessecure recovery
  12. 12. bcrypt 0 1 3 2per-user salt o rdsite secret s s w s p a & lockoutne li policiespassword id e g usecure recovery
  13. 13. ALTER TABLE userDROP COLUMN password;
  14. 14. existing solutions
  15. 15. client certificates
  16. 16. “social” authentication
  17. 17. “People want a littledating before marriage.” Eric Vishria – Rockmelt
  18. 18. so... storing passwords is hard
  19. 19. so... storing passwords is hard no suitable alternatives
  20. 20. decentralized
  21. 21. decentralized privacy-sensitive
  22. 22. decentralized privacy-sensitive simple
  23. 23. decentralized privacy-sensitive simple open source
  24. 24. in your browser
  25. 25. how does it work?
  26. 26. francois@mozilla.com
  27. 27. <digital signatures 101>
  28. 28. private public
  29. 29. public
  30. 30. My name isFrançois Marierand my email istoo long to fiton one line.
  31. 31. My name is François Marier and my email is too long to fit on one line.private
  32. 32. My name isFrançois Marierand my email istoo long to fiton one line. public
  33. 33. sign verify
  34. 34. </digital signatures 101>
  35. 35. francois@mozilla.com
  36. 36. getting a proof of email ownership
  37. 37. authenticate?
  38. 38. authenticate? public key
  39. 39. authenticate? public keysigned public key
  40. 40. you have a signed statement from yourprovider that you own your email address
  41. 41. logging into a 3rd party site
  42. 42. assertion linux.conf.auValid for: 2 minutes
  43. 43. assertion linux.conf.auValid for: 2 minutescheck audience
  44. 44. assertion linux.conf.auValid for: 2 minutescheck audiencecheck expiry
  45. 45. assertion linux.conf.auValid for: 2 minutescheck audiencecheck expirycheck signature
  46. 46. assertion public key linux.conf.au Valid for: 2 minutes
  47. 47. assertion linux.conf.au Valid for: 2 minutes
  48. 48. assertionsession cookie
  49. 49. achievingthat vision
  50. 50. email providersbrowser vendors
  51. 51. email providers
  52. 52. fmarier@gmail.com
  53. 53. fmarier@gmail.com
  54. 54. fallback identity provider
  55. 55. persona.org account
  56. 56. support for all email providers
  57. 57. browser vendors
  58. 58. navigator.id.*
  59. 59. js
  60. 60. support for allmodern browsers >= 8
  61. 61. support for allmodern browsers >= 8
  62. 62. live demo
  63. 63. using it on your site
  64. 64. ( no need to take notes these slides will be online )
  65. 65. <script src=”https://login.persona.org/include.js”></script></body></html>
  66. 66. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  67. 67. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  68. 68. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  69. 69. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = /logout; }});
  70. 70. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  71. 71. navigator.id.request()
  72. 72. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /; } ); }, onlogout: function () { window.location = /logout; }});
  73. 73. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  74. 74. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  75. 75. def verify_assertion(assertion): page = requests.post( https://verifier.login.persona.org/verify, Data={ "assertion": assertion, "audience": http://123done.org}) data = page.json return data.status == okay
  76. 76. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org”}
  77. 77. { status: “failed”, reason: “assertion has expired”}
  78. 78. navigator.id.logout()
  79. 79. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post(/login, {assertion: assertion}, function (data) { window.location = /home; } ); }, onlogout: function () { window.location = /logout; }});
  80. 80. 1. load javascript library
  81. 81. 1. load javascript library2. setup login & logout callbacks
  82. 82. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  83. 83. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  84. 84. function do_login() {<?php navigator.id.request(); }if (!empty($_POST)) { function do_logout() { $result = verify_assertion($_POST[assertion]); navigator.id.logout(); if ($result->status === okay) { } print_header(); echo "<p>Logged in as: " . $result->email . "</p>"; navigator.id.watch({ echo <p><a href="javascript:do_logout()">Logout</a></p>; loggedInUser: $email, print_backLink(); onlogin: function (assertion) { print_footer($result->email); alert("onlogin: $email"); } else { var assertion_field = print_header(); document.getElementById("assertion-field"); echo "<p>Error: " . $result->reason . "</p>"; assertion_field.value = assertion; print_backLink(); var login_form = document.getElementById("login-form"); print_footer(); login_form.submit(); } },} elseif (!empty($_GET[logout])) { onlogout: function () { print_header(); alert("onlogout: $email"); echo "<p>You have logged out.</p>"; window.location = ?logout=1; print_backLink(); } print_footer(); });} else { </script></body></html> print_header(); EOF; echo "<p><a href="javascript:do_login()">Login</a></p>"; } print_footer();} function verify_assertion($assertion) { $audience = ($_SERVER[HTTPS] === on ? https:// : http://)function print_header() { . $_SERVER[SERVER_NAME] . : . $_SERVER[SERVER_PORT]; echo <<<EOF $postdata = assertion= . urlencode($assertion) . &audience=<!DOCTYPE html><html><head><meta charset="utf-8"></head> . urlencode($audience);<body><form id="login-form" method="POST"> $ch = curl_init();<input id="assertion-field" type="hidden" name="assertion" value=""> curl_setopt($ch, CURLOPT_URL,</form> "https://verifier.login.persona.org/verify");EOF; curl_setopt($ch, CURLOPT_POST, true);} curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);function print_backLink() { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); echo "<p><a href="persona.php">Back to login page</a></p>"; curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);} $json = curl_exec($ch); curl_close($ch);function print_footer($email = null) { if ($email !== null) { $res = json_decode($json); $email = "$email"; $res->status = okay; } $res->email = francois@mozilla.com; echo <<<EOF return $res;<script src="http://127.0.0.1:10002/include.orig.js"></script> }<script> ?>
  85. 85. wanna help us solve thepassword problem?
  86. 86. add Persona toyour project/sitetell us about your experience email one site asking for it
  87. 87. add Persona toyour project/sitetell us about your experience email one site asking for it
  88. 88. add Persona toyour project/sitetell us about your experience email one site asking for it
  89. 89. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  90. 90. Whos using Persona?
  91. 91. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  92. 92. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  93. 93. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  94. 94. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  95. 95. identity provider APIhttps://eyedee.me/.well-known/browserid:{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
  96. 96. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  97. 97. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  98. 98. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  99. 99. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  100. 100. Photo credits:Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/Danish passport: https://en.wikipedia.org/wiki/File:DK_Passport_Cover.jpgRestaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.

×