More Related Content
Similar to Securing the Web without site-specific passwords
Similar to Securing the Web without site-specific passwords (20)
More from Francois Marier
More from Francois Marier (20)
Recently uploaded
Recently uploaded (20)
Securing the Web without site-specific passwords
- 1. François Marier – @fmarier Securing the Web without site-specific passwords
- 2. François Marier – @fmarier F**k all of these passwords, we can do better than this!
- 13. problem #1: passwords are hard to secure
- 14. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 15. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 16. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 17. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 18. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 19. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
- 20. passwords are hard to secure they are a liability
- 21. ALTER TABLE user DROP COLUMN password;
- 22. problem #2: passwords are hard to remember
- 25. pick an easy password
- 26. pick an easy password use it everywhere
- 27. negative externality: sites that don't care about security impose a cost on more important sites
- 28. passwords are hard to remember they need to be reset
- 35. decentralised
- 39. privacy®
- 40. existing login systems are not good enough
- 41. ideal web-wide identity system
- 45. what if it were a standard part of the web browser?
- 47. how does it work?
- 50. getting a proof of email ownership
- 51. authenticate?
- 54. you have a signed statement from your provider that you own your email address
- 56. logging into a 3rd party site
- 57. Valid for: 2 minutes wikipedia.org assertion
- 58. Valid for: 2 minutes wikipedia.org check audience assertion
- 59. Valid for: 2 minutes wikipedia.org check audience check expiry assertion
- 60. Valid for: 2 minutes wikipedia.org check audience check expiry check signature assertion
- 61. assertion Valid for: 2 minutes wikipedia.org public key
- 62. assertion Valid for: 2 minutes wikipedia.org
- 65. Persona is already a decentralised system
- 66. SMS with PIN codes
- 67. SMS with PIN codes Jabber / XMPP
- 68. SMS with PIN codes Jabber / XMPP Yubikeys
- 69. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts
- 70. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates
- 71. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
- 72. decentralisation is the answer, but it's not a product adoption strategy
- 73. we can't wait for all domains to adopt Persona
- 74. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
- 76. Persona already works with all email domains
- 82. Persona supports all modern browsers >= 8
- 83. Persona is decentralised, simple and cross-browser
- 84. it's simple for users, but is it also simple for developers?
- 87. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 88. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 89. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 90. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 91. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 97. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 99. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 100. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']);
- 101. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
- 102. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
- 103. { status: “failed”, reason: “assertion has expired” }
- 104. require_once('Auth/BrowserID.php'); $verifier = new Auth_BrowserID('http://123done.org'); $result = $verifier->verifyAssertion($_POST['assertion']); if ($result->status === 'okay') { echo "Hi " . $result->email; } else { echo "Error: " . $result->reason; }
- 108. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 110. 1. load javascript library
- 111. 1. load javascript library 2. setup login & logout callbacks
- 112. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
- 113. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
- 114. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
- 115. you can add support for Persona in four easy steps
- 116. one simple request
- 118. building a new site: default to Persona
- 119. working on an existing site: add support for Persona
- 120. before
- 121. after
- 124. ALTER TABLE user DROP COLUMN password;
- 125. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
- 126. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
- 127. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 128. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 129. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 130. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 131. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 132. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 133. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 134. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 135. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: