problem #1:
passwords are hard to secure
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
20132013
passwordpassword
guidelines
guidelines
passwords are hard to secure
they are a liability
ALTER TABLE userDROP COLUMN password;
problem #2:
passwords are hard to remember
pick an easy password
pick an easy password
use it everywhere
passwords are hard to remember
they need to be reset
controlemail
account
controlall
accounts=
“People wanta little dating
before marriage.”Eric Vishria – Rockmelt
decentralised
myid.com/u/francois
privacy®
existing login systemsare not good enough
ideal web-wide identity system
ideal web-wide identity system
ideal web-wide identity system
ideal web-wide identity system
what if it were a standardpart of the web browser?
how does it work?
why email addresses?
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
demo #1:
http://www.voo.st/http://bornthiswayfoundation.org
Persona is already adecentralised system
SMS with PIN codes
SMS with PIN codes
Jabber / XMPP
SMS with PIN codes
Jabber / XMPP
Yubikeys
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
Password-wrapped secret key
{ "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..."}
decentralisation is the answer, but it's not
a product adoption strategy
we can't wait for all browsersto adopt Persona
navigator.id.*
we can't wait for all browsersto adopt Persona
solution: a temporaryjavascript shim
goal: trusted coderunning in the browser
login.persona.org
localStorage
localStorage.setItem("key", serializedKey);
var serializedKey = localStorage.getItem("key");
storage tied tologin.persona.org
window.postMessage()
https://login.persona.org
localStorage
postMessage
Persona supportsall modern browsers
>= 8
we can't wait for all domainsto adopt Persona
we can't wait for all domainsto adopt Persona
solution: a temporarycentralised fallback
Persona already workswith all email domains
identity bridging
Persona works everywhere
lessons learned
#1 user testingis critical
#2 nobody wantsto be first
“how many usersdoes Persona have?”
700,000,000
#3 if a problem hasbeen around for awhile, it's probablya hard one
see if you can solvepart of the problem
$ ssh [email protected]@myserver.com's password:
Persona is a simplesign-in solution
for the web
how simple is it
for developers?
<script src=”https://login.persona.org/include.js”></script></body></html>
navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.request()
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDgyNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGYxZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGExYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZhOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2MxNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzNmNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDhlY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTYxNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDVkZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDViY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImVtYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPIbXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “login.persona.org”}
require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') { echo "Hi " . $result->email;} else { echo "Error: " . $result->reason;}
{ status: “failed”,
reason: “assertion has expired”}
require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') { echo "Hi " . $result->email;} else { echo "Error: " . $result->reason;}
navigator.id.logout()
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
1. load javascript library
1. load javascript library
2. setup login & logout callbacks
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
no API keyneeded
how simple is it
for domain owners?
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
one small request
building a new site:default to Persona
working on an existing site/app:add support for Persona
before
after
after
navigator.id.request()
ALTER TABLE userDROP COLUMN password;
To learn more about Persona:
https://login.persona.org/http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_plugins
https://wiki.mozilla.org/Identity#Get_Involved
@fmarier http://fmarier.org
© 2013 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.
Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Yubikey: https://secure.flickr.com/photos/knk/3379897261/
Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/
Photo credits:
Recommended
