Persona: a federated and privacy-protecting login system for the whole Web

519 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
519
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Persona: a federated and privacy-protecting login system for the whole Web

  1. 1. François Marier – @fmarier Mozilla Persona a federated and privacy-protecting login system for the whole Web
  2. 2. passwords
  3. 3. problem #1: passwords are hard to secure
  4. 4. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  5. 5. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  6. 6. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  7. 7. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  8. 8. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  9. 9. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  10. 10. passwords are hard to secure they are a liability
  11. 11. ALTER TABLE user DROP COLUMN password;
  12. 12. problem #2: passwords are hard to remember
  13. 13. pick an easy password
  14. 14. pick an easy password use it everywhere
  15. 15. passwords are hard to remember they need to be reset
  16. 16. control email account control all accounts =
  17. 17. “People want a little dating before marriage.” Eric Vishria – Rockmelt
  18. 18. decentralised
  19. 19. myid.com/u/francois
  20. 20. privacy®
  21. 21. existing login systems are not good enough
  22. 22. ideal web-wide identity system
  23. 23. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  24. 24. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  25. 25. ● decentralised ● simple cross-browser ideal web-wide identity system
  26. 26. what if it were a standard part of the web browser?
  27. 27. how does it work?
  28. 28. fmarier@gmail.com
  29. 29. why email addresses?
  30. 30. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  31. 31. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  32. 32. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  33. 33. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  34. 34. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  35. 35. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
  36. 36. fmarier@gmail.com
  37. 37. demo #1: http://www.voo.st/ fmariertest@eyedee.me
  38. 38. Persona is already a decentralised system
  39. 39. decentralisation is the answer, but it's not a product adoption strategy
  40. 40. we can't wait for all domains to adopt Persona
  41. 41. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
  42. 42. demo #2: http://sloblog.io/ francoistest@web.de
  43. 43. Persona already works with all email domains
  44. 44. identity bridging
  45. 45. demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com
  46. 46. Persona supports all modern browsers >= 8
  47. 47. Persona is decentralised, simple and cross-browser
  48. 48. it's simple for users, but is it also simple for developers?
  49. 49. <script src=”https://login.persona.org/include.js”> </script> </body></html>
  50. 50. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  51. 51. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  52. 52. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  53. 53. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
  54. 54. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  55. 55. navigator.id.request()
  56. 56. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
  57. 57. eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE 1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE 5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE 3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM 3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA 2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9 sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw
  58. 58. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  59. 59. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
  60. 60. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
  61. 61. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
  62. 62. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
  63. 63. { status: “failed”, reason: “assertion has expired” }
  64. 64. navigator.id.logout()
  65. 65. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
  66. 66. 1. load javascript library
  67. 67. 1. load javascript library 2. setup login & logout callbacks
  68. 68. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
  69. 69. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  70. 70. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
  71. 71. you can add support for Persona in four easy steps
  72. 72. one simple request
  73. 73. building a new site: default to Persona
  74. 74. working on an existing site/app: add support for Persona
  75. 75. before
  76. 76. after
  77. 77. after navigator.id.request()
  78. 78. ALTER TABLE user DROP COLUMN password;
  79. 79. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  80. 80. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  81. 81. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  82. 82. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  83. 83. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  84. 84. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  85. 85. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  86. 86. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  87. 87. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  88. 88. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  89. 89. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits:

×