François Marier – @fmarier
passwords
and freedom:
can we lose the former
and retain the latter?
passwords
problem #1:
passwords are hard to secure
passwords are hard to secure
they are a liability
ALTER TABLE user
DROP COLUMN password;
problem #2:
passwords are hard to remember
pick an easy password
pick an easy password
use it everywhere
decentralized
privacy®
existing login systems
are not good enough
ideal web-wide identity system
●
decentralized
●
simple
●
cross-browser
ideal web-wide identity system
●
decentralized
●
simple
●
cross-browser
ideal web-wide identity system
●
decentralized
●
simple
●
cross-browser
ideal web-wide identity system
●
decentralized
●
simple
●
cross-browser
how does it work?
fmarier@gmail.com
demo #1:
http://crossword.thetimes.co.uk/
fmariertest@eyedee.me
Persona is already a
decentralized system
decentralization is the answer, but it's not
a product adoption strategy
we can't wait for all domains
to adopt Persona
we can't wait for all domains
to adopt Persona
solution: a temporary
centralized fallback
demo #2:
http://sloblog.io
fmariertest@gmail.com
Persona already works
with all email domains
identity bridging
demo #3:
http://www.reasonwell.com/
fmariertest@yahoo.com
Persona supports
all modern browsers
>= 8
Persona is decentralized,
simple and cross-browser
it's simple for users, but is it also
simple for developers?
<script src=”https://login.persona.org/include.js”>
</script>
</body></html>
navigator.id.watch({
loggedInEmail: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: a...
navigator.id.watch({
loggedInUser: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: as...
navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function...
navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function...
navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function...
navigator.id.request()
navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function...
navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function...
$ curl -d "assertion=<ASSERTION>&
audience=http://123done.org"
https://verifier.login.persona.org/verify
$ curl -d "assertion=<ASSERTION>&
audience=http://123done.org"
https://verifier.login.persona.org/verify
{
status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “francois@mozilla.com”,
issuer: “login.pe...
{
status: “failed”,
reason: “assertion has expired”
}
navigator.id.logout()
navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function...
1. load javascript library
1. load javascript library
2. setup login & logout callbacks
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
you can add support for
Persona in four easy steps
one simple request
building a new site:
default to Persona
working on an existing site/app:
add support for Persona
To learn more about Persona:
https://login.persona.org/
http://identity.mozilla.com/
https://developer.mozilla.org/docs/Pe...
identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"655...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
© 2013 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 3.0 Ne...
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Upcoming SlideShare
Loading in …5
×

Passwords and freedom: can we lose the former and retain the latter?

437 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
437
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Passwords and freedom: can we lose the former and retain the latter?

  1. 1. François Marier – @fmarier passwords and freedom: can we lose the former and retain the latter?
  2. 2. passwords
  3. 3. problem #1: passwords are hard to secure
  4. 4. passwords are hard to secure they are a liability
  5. 5. ALTER TABLE user DROP COLUMN password;
  6. 6. problem #2: passwords are hard to remember
  7. 7. pick an easy password
  8. 8. pick an easy password use it everywhere
  9. 9. decentralized
  10. 10. privacy®
  11. 11. existing login systems are not good enough
  12. 12. ideal web-wide identity system
  13. 13. ● decentralized ● simple ● cross-browser ideal web-wide identity system
  14. 14. ● decentralized ● simple ● cross-browser ideal web-wide identity system
  15. 15. ● decentralized ● simple ● cross-browser ideal web-wide identity system
  16. 16. ● decentralized ● simple ● cross-browser
  17. 17. how does it work?
  18. 18. fmarier@gmail.com
  19. 19. demo #1: http://crossword.thetimes.co.uk/ fmariertest@eyedee.me
  20. 20. Persona is already a decentralized system
  21. 21. decentralization is the answer, but it's not a product adoption strategy
  22. 22. we can't wait for all domains to adopt Persona
  23. 23. we can't wait for all domains to adopt Persona solution: a temporary centralized fallback
  24. 24. demo #2: http://sloblog.io fmariertest@gmail.com
  25. 25. Persona already works with all email domains
  26. 26. identity bridging
  27. 27. demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com
  28. 28. Persona supports all modern browsers >= 8
  29. 29. Persona is decentralized, simple and cross-browser
  30. 30. it's simple for users, but is it also simple for developers?
  31. 31. <script src=”https://login.persona.org/include.js”> </script> </body></html>
  32. 32. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  33. 33. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  34. 34. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  35. 35. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  36. 36. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  37. 37. navigator.id.request()
  38. 38. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  39. 39. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  40. 40. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
  41. 41. $ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
  42. 42. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
  43. 43. { status: “failed”, reason: “assertion has expired” }
  44. 44. navigator.id.logout()
  45. 45. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  46. 46. 1. load javascript library
  47. 47. 1. load javascript library 2. setup login & logout callbacks
  48. 48. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
  49. 49. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  50. 50. you can add support for Persona in four easy steps
  51. 51. one simple request
  52. 52. building a new site: default to Persona
  53. 53. working on an existing site/app: add support for Persona
  54. 54. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  55. 55. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  56. 56. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  57. 57. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  58. 58. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  59. 59. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  60. 60. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  61. 61. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  62. 62. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  63. 63. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  64. 64. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits:

×