Upload
francois-marier
View
179
Download
5
Embed Size (px)
DESCRIPTION
Identity systems on the Web are a bit of a mess. Surely in 2013, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority. It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult. This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new cross-browser federated identity solution from Mozilla. It will cover: - a discussion of the complexities and privacy-related concerns that existing identity solutions have - how crypto is used in Persona to provide both authentication and privacy - the Persona federation approach: fully distributed with fallbacks - demos and actual code from sites that have implemented Persona - the basics of the Persona API so that attendees can go out and easily support this technology on their own sites Trying to convince users to pick unique (and strong) passwords for each website is a losing battle. What we're proposing is a standard, built into browsers, that leverages the new security features that email providers are now offering. A simple federated solution to eliminate site-specific passwords.
Citation preview
François Marier – @fmarier
Securing the Web without site-specific passwords
François Marier – @fmarier
F**k all of these passwords, we can do better than this!
solving thepassword problem
on the web
problem #1:
passwords are hard to secure
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
20132013
passwordpassword
guidelines
guidelines
passwords are hard to secure
they are a liability
ALTER TABLE userDROP COLUMN password;
problem #2:
passwords are hard to remember
users have two strategies
1. pick an easy password
2. reuse your password
negative externality:
sites that don't care about securityimpose a cost on more important sites
passwords are hard to remember
they need to be reset
controlemail
account
controlall
accounts=
existing login solutions
client certificates
centralised authorities
existing login systemsare not good enough
ideal web-wide identity system
● decentralised● simple● cross-browser
ideal web-wide identity system
● decentralised● simple● cross-browser
ideal web-wide identity system
● decentralised● simple● cross-browser
ideal web-wide identity system
● decentralised● simple● cross-browser
how does it work?
getting a proof of email ownership
authenticate?
authenticate?
public key
authenticate?
public key
signed public key
you have a signed statement from yourprovider that you own your email address
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
assertion
Valid for: 2 minutes
wikipedia.org
check audience
assertion
Valid for: 2 minutes
wikipedia.org
check audiencecheck expiry
assertion
Valid for: 2 minutes
wikipedia.org
check audiencecheck expirycheck signature
assertion
assertion
Valid for: 2 minutes
wikipedia.org
public key
assertion
Valid for: 2 minutes
wikipedia.org
assertion
session cookie
Persona is already adecentralised system
decentralisation matters for:
decentralisation matters for:
● choice● security● innovation
decentralisation matters for:
● choice● security● innovation
decentralisation matters for:
● choice● security● innovation
SMS with PIN codes
SMS with PIN codes
Jabber / XMPP
SMS with PIN codes
Jabber / XMPP
Yubikeys
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
Password-wrapped secret key
{ "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..."}
decentralisation enablesinnovation
decentralisation is the answer, but it's not
a product adoption strategy
we can't wait for all domainsto adopt Persona
we can't wait for all domainsto adopt Persona
solution: a temporarycentralised fallback
Persona already workswith all email domains
identity bridging
Persona supportsall modern browsers
>= 8
Persona is decentralised,simple and cross-browser
it's simple for users, but is it also
simple for developers?
<script src=”https://login.persona.org/include.js”></script></body></html>
navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.request()
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
$ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
$ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “login.persona.org”}
{ status: “failed”,
reason: “assertion has expired”}
navigator.id.logout()
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
1. load javascript library
1. load javascript library
2. setup login & logout callbacks
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
you can add support forPersona in four easy steps
one simple request
building a new site:default to Persona
working on an existing site:add support for Persona
we needyour help
to eliminatesite-specificpasswords
To learn more about Persona:
https://login.persona.org/http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_plugins
http://123done.org/https://wiki.mozilla.org/Identity#Get_Involved
@fmarier http://fmarier.org
identity provider API
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
identity provider API
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
identity provider API
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
identity provider API
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
identity provider API
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
© 2013 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/
Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/
Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/
Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/
Photo credits: