Persona: a federated and privacy-protecting login system for the whole Web
•
0 likes•678 views
1. Mozilla Persona is a proposed decentralized and privacy-protecting login system that uses email addresses as identifiers and aims to replace passwords on the entire web. 2. Passwords are difficult for users to secure and remember, making them problematic as primary login credentials. Persona aims to solve these problems by leveraging existing email identities in a simple and cross-browser compatible way. 3. Developers can easily add support for Persona login to their sites in just a few steps by including a JavaScript library and setting up login/logout callbacks without needing an API key.
Report
Share
Persona: a federated and privacy-protecting login system for the whole Web
- 1. François Marier – @fmarier Mozilla Persona a federated and privacy-protecting login system for the whole Web
- 2. passwords
- 3. problem #1: passwords are hard to secure
- 14. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 15. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 16. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 17. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 18. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 19. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
- 20. passwords are hard to secure they are a liability
- 21. ALTER TABLE user DROP COLUMN password;
- 22. problem #2: passwords are hard to remember
- 25. pick an easy password
- 26. pick an easy password use it everywhere
- 27. passwords are hard to remember they need to be reset
- 31. “People want a little dating before marriage.” Eric Vishria – Rockmelt
- 33. decentralised
- 37. privacy®
- 38. existing login systems are not good enough
- 39. ideal web-wide identity system
- 43. what if it were a standard part of the web browser?
- 45. how does it work?
- 48. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
- 49. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
- 50. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
- 51. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
- 52. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
- 53. why email addresses? already federated people know their email natural association between person & email easy to have separate identities most sites need a way to contact users no lock-in
- 56. Persona is already a decentralised system
- 57. decentralisation is the answer, but it's not a product adoption strategy
- 58. we can't wait for all domains to adopt Persona
- 59. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
- 61. Persona already works with all email domains
- 67. Persona supports all modern browsers >= 8
- 68. Persona is decentralised, simple and cross-browser
- 69. it's simple for users, but is it also simple for developers?
- 72. navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 73. navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 74. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 75. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });
- 76. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 82. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 84. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 85. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
- 86. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
- 87. def verify_assertion(assertion): page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} ) data = page.json return data.status == 'okay'
- 88. { status: “okay”, audience: “http://123done.org”, expires: 1344849682560, email: “francois@mozilla.com”, issuer: “login.persona.org” }
- 89. { status: “failed”, reason: “assertion has expired” }
- 93. navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });
- 95. 1. load javascript library
- 96. 1. load javascript library 2. setup login & logout callbacks
- 97. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
- 98. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
- 99. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
- 100. you can add support for Persona in four easy steps
- 101. one simple request
- 103. building a new site: default to Persona
- 104. working on an existing site/app: add support for Persona
- 105. before
- 106. after
- 109. ALTER TABLE user DROP COLUMN password;
- 110. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
- 111. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
- 112. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 113. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 114. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 115. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 116. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 117. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 118. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 119. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 120. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: