Killing Passwords with JavaScript
•
0 likes•1,320 views
François Marier discusses killing passwords with JavaScript and Persona identity system. Passwords are hard to secure and remember, so Persona aims to create a decentralized, simple, and cross-browser identity system as a standard part of web browsers. It works by using email addresses as identifiers and JavaScript APIs. Persona already has over 700 million users and works on any domain through identity bridging and a fallback. It is a simple solution for developers to add login functionality with just a few steps.
Report
Share
Killing Passwords with JavaScript
- 1. François Marier – @fmarier Killing Passwords with JavaScript
- 12. problem #1: passwords are hard to secure
- 13. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 14. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 15. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 16. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 17. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 18. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
- 19. passwords are hard to secure they are a liability
- 20. ALTER TABLE user DROP COLUMN password;
- 21. problem #2: passwords are hard to remember
- 24. pick an easy password
- 25. pick an easy password use it everywhere
- 26. passwords are hard to remember they need to be reset
- 30. “People want a little dating before marriage.” Eric Vishria – Rockmelt
- 32. decentralised
- 36. privacy®
- 37. existing login systems are not good enough
- 38. ideal web-wide identity system
- 42. what if it were a standard part of the web browser?
- 44. how does it work?
- 48. Persona is already a decentralised system
- 49. SMS with PIN codes
- 50. SMS with PIN codes Jabber / XMPP
- 51. SMS with PIN codes Jabber / XMPP Yubikeys
- 52. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts
- 53. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates
- 54. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
- 55. decentralisation is the answer, but it's not a product adoption strategy
- 56. we can't wait for all browsers to adopt Persona
- 57. navigator.id.*
- 61. we can't wait for all browsers to adopt Persona solution: a temporary javascript shim
- 62. L I F D
- 64. goal: trusted code running in the browser
- 66. localStorage localStorage.setItem("key", serializedKey); var serializedKey = localStorage.getItem("key");
- 70. Persona supports all modern browsers >= 8
- 71. we can't wait for all domains to adopt Persona
- 72. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
- 74. Persona already works with all email domains
- 80. lessons learned
- 87. #2nobody wants to be first
- 88. “how many users does Persona have?”
- 90. 700,000,000
- 91. #3if a problem has been around for a while, it's probably a hard one
- 92. see if you can solve part of the problem
- 93. $ ssh francois@myserver.com francois@myserver.com's password:
- 95. Persona is a simple solution for signing into the web
- 96. how simple is it for developers?
- 97. how simple is it for developers? 4 easy steps https://developer.mozilla.org/docs/Persona/Quick_Setup
- 98. 1. load javascript library <script src=”https://login.persona.org/include.js”>
- 99. 1. load javascript library 2. setup login & logout callbacks navigator.id.watch(...);
- 100. 1. load javascript library 2. setup login & logout callbacks navigator.id.watch(...);
- 101. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons navigator.id.request(); navigator.id.logout();
- 102. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
- 103. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
- 104. one small request
- 106. building a new site: default to Persona
- 107. working on an existing site: add support for Persona
- 108. before
- 109. after
- 112. ALTER TABLE user DROP COLUMN password;
- 113. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
- 114. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
- 115. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 116. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 117. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 118. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 119. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 120. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 121. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 122. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 123. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Yubikey: https://secure.flickr.com/photos/knk/3379897261/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: