You're still using passwords on your site?

François Marier – @fmarier

You’re still using passwords on your site?

problem #1:

passwords are hard to secure

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

20132013

passwordpassword

guidelines

guidelines

passwords are hard to secure

they are a liability

ALTER TABLE userDROP COLUMN password;

problem #2:

passwords are hard to remember

pick an easy password

pick an easy password

use it everywhere

passwords are hard to remember

they need to be reset

controlemail

account

controlall

accounts=

“People wanta little dating

before marriage.”Eric Vishria – Rockmelt

decentralised

myid.com/u/francois

privacy®

existing login systemsare not good enough

ideal web-wide identity system

ideal web-wide identity system

ideal web-wide identity system

ideal web-wide identity system

what if it were a standardpart of the web browser?

how does it work?

fmarier@gmail.com

why email addresses?

why email addresses?

already federated

people know their email

natural association between person & email

easy to have separate identities

most sites need a way to contact users

no lock-in

why email addresses?

already federated

people know their email

natural association between person & email

easy to have separate identities

most sites need a way to contact users

no lock-in

why email addresses?

already federated

people know their email

natural association between person & email

easy to have separate identities

most sites need a way to contact users

no lock-in

why email addresses?

already federated

people know their email

natural association between person & email

easy to have separate identities

most sites need a way to contact users

no lock-in

why email addresses?

already federated

people know their email

natural association between person & email

easy to have separate identities

most sites need a way to contact users

no lock-in

why email addresses?

already federated

people know their email

natural association between person & email

easy to have separate identities

most sites need a way to contact users

no lock-in

fmarier@gmail.com

demo #1:

http://www.voo.st/http://bornthiswayfoundation.org

fmariertest@eyedee.me

Persona is already adecentralised system

SMS with PIN codes

SMS with PIN codes

Jabber / XMPP

SMS with PIN codes

Jabber / XMPP

Yubikeys

SMS with PIN codes

Jabber / XMPP

Yubikeys

LDAP accounts

SMS with PIN codes

Jabber / XMPP

Yubikeys

LDAP accounts

Client certificates

SMS with PIN codes

Jabber / XMPP

Yubikeys

LDAP accounts

Client certificates

Password-wrapped secret key

{ "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..."}

decentralisation is the answer, but it's not

a product adoption strategy

we can't wait for all browsersto adopt Persona

navigator.id.*

we can't wait for all browsersto adopt Persona

solution: a temporaryjavascript shim

goal: trusted coderunning in the browser

login.persona.org

localStorage

localStorage.setItem("key", serializedKey);

var serializedKey = localStorage.getItem("key");

storage tied tologin.persona.org

window.postMessage()

https://login.persona.org

localStorage

postMessage

Persona supportsall modern browsers

>= 8

we can't wait for all domainsto adopt Persona

we can't wait for all domainsto adopt Persona

solution: a temporarycentralised fallback

demo #2:

http://sloblog.io/

fmariertest@aol.com

Persona already workswith all email domains

identity bridging

demo #3:

http://www.reasonwell.com/

fmariertest@yahoo.com

Persona works everywhere

lessons learned

#1 user testingis critical

#2 nobody wantsto be first

“how many usersdoes Persona have?”

700,000,000

#3 if a problem hasbeen around for awhile, it's probablya hard one

see if you can solvepart of the problem

$ ssh francois@myserver.comfrancois@myserver.com's password:

Persona is a simplesign-in solution

for the web

how simple is it

for developers?

<script src=”https://login.persona.org/include.js”></script></body></html>

navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.request()

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});

eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDgyNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGYxZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGExYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZhOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2MxNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzNmNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDhlY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTYxNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDVkZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDViY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImVtYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPIbXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

require_once('Auth/BrowserID.php');

$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);

{ status: “okay”,

audience: “http://123done.org”,

expires: 1344849682560,

email: “francois@mozilla.com”,

issuer: “login.persona.org”}

require_once('Auth/BrowserID.php');

$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);

if ($result->status === 'okay') { echo "Hi " . $result->email;} else { echo "Error: " . $result->reason;}

{ status: “failed”,

reason: “assertion has expired”}

require_once('Auth/BrowserID.php');

$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);

if ($result->status === 'okay') { echo "Hi " . $result->email;} else { echo "Error: " . $result->reason;}

navigator.id.logout()

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

1. load javascript library

1. load javascript library

2. setup login & logout callbacks

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

no API keyneeded

how simple is it

for domain owners?

https://eyedee.me/.well-known/browserid:

{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}

https://eyedee.me/.well-known/browserid:

{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}

https://eyedee.me/.well-known/browserid:

{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}

https://eyedee.me/.well-known/browserid:

{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}

https://eyedee.me/.well-known/browserid:

{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}

1. check for your /.well-known/browserid

2. try the provisioning endpoint

3. show the authentication page

4. call the provisioning endpoint again

1. check for your /.well-known/browserid

2. try the provisioning endpoint

3. show the authentication page

4. call the provisioning endpoint again

1. check for your /.well-known/browserid

2. try the provisioning endpoint

3. show the authentication page

4. call the provisioning endpoint again

1. check for your /.well-known/browserid

2. try the provisioning endpoint

3. show the authentication page

4. call the provisioning endpoint again

one small request

building a new site:default to Persona

working on an existing site/app:add support for Persona

before

after

after

navigator.id.request()

ALTER TABLE userDROP COLUMN password;

To learn more about Persona:

https://login.persona.org/http://identity.mozilla.com/

https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setup

https://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_plugins

https://wiki.mozilla.org/Identity#Get_Involved

@fmarier http://fmarier.org

© 2013 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.

Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/

Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/

Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/

Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/

Yubikey: https://secure.flickr.com/photos/knk/3379897261/

Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/

Photo credits: