Upload
francois-marier
View
214
Download
2
Embed Size (px)
DESCRIPTION
A few people like to say that passwords are dead, but the reality is far from it. First of all, we can't get rid of passwords entirely, because the alternatives all suck: physical tokens are easy to lose and retina scans are pretty creepy. What we should focus on is eliminating site-specific passwords. Mozilla Persona was introduced at OSDC last year, but a number of new things have been added to it since. But more importantly, it's still the best shot we have at a decentralized web-wide identity system that works for average users and doesn't violate their privacy. So I'm back to show you what's new and to talk about what organizations can gain from adding native support on their domain. It's time to solve the password problem on the web.
Citation preview
problem #1:
passwords are hard to secure
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
20132013
passwordpassword
guidelines
guidelines
passwords are hard to secure
they are a liability
ALTER TABLE userDROP COLUMN password;
problem #2:
passwords are hard to remember
pick an easy password
pick an easy password
use it everywhere
passwords are hard to remember
they need to be reset
controlemail
account
controlall
accounts=
“People wanta little dating
before marriage.”Eric Vishria – Rockmelt
decentralised
myid.com/u/francois
privacy®
existing login systemsare not good enough
ideal web-wide identity system
ideal web-wide identity system
ideal web-wide identity system
ideal web-wide identity system
what if it were a standardpart of the web browser?
how does it work?
why email addresses?
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
demo #1:
http://www.voo.st/http://bornthiswayfoundation.org
Persona is already adecentralised system
SMS with PIN codes
SMS with PIN codes
Jabber / XMPP
SMS with PIN codes
Jabber / XMPP
Yubikeys
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
Password-wrapped secret key
{ "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..."}
decentralisation is the answer, but it's not
a product adoption strategy
we can't wait for all browsersto adopt Persona
navigator.id.*
we can't wait for all browsersto adopt Persona
solution: a temporaryjavascript shim
goal: trusted coderunning in the browser
login.persona.org
localStorage
localStorage.setItem("key", serializedKey);
var serializedKey = localStorage.getItem("key");
storage tied tologin.persona.org
window.postMessage()
https://login.persona.org
localStorage
postMessage
Persona supportsall modern browsers
>= 8
we can't wait for all domainsto adopt Persona
we can't wait for all domainsto adopt Persona
solution: a temporarycentralised fallback
Persona already workswith all email domains
identity bridging
Persona works everywhere
lessons learned
#1 user testingis critical
#2 nobody wantsto be first
“how many usersdoes Persona have?”
700,000,000
#3 if a problem hasbeen around for awhile, it's probablya hard one
see if you can solvepart of the problem
$ ssh [email protected]@myserver.com's password:
Persona is a simplesign-in solution
for the web
how simple is it
for developers?
<script src=”https://login.persona.org/include.js”></script></body></html>
navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.request()
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDgyNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGYxZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGExYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZhOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2MxNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzNmNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDhlY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTYxNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDVkZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDViY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImVtYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPIbXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “login.persona.org”}
require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') { echo "Hi " . $result->email;} else { echo "Error: " . $result->reason;}
{ status: “failed”,
reason: “assertion has expired”}
require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') { echo "Hi " . $result->email;} else { echo "Error: " . $result->reason;}
navigator.id.logout()
navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
1. load javascript library
1. load javascript library
2. setup login & logout callbacks
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
no API keyneeded
how simple is it
for domain owners?
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
https://eyedee.me/.well-known/browserid:
{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
one small request
building a new site:default to Persona
working on an existing site/app:add support for Persona
before
after
after
navigator.id.request()
ALTER TABLE userDROP COLUMN password;
To learn more about Persona:
https://login.persona.org/http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_plugins
https://wiki.mozilla.org/Identity#Get_Involved
@fmarier http://fmarier.org
© 2013 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.
Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Yubikey: https://secure.flickr.com/photos/knk/3379897261/
Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/
Photo credits: