Persona: a federated and privacy-protecting login system for the whole Web
- 1. François Marier – @fmarier
Mozilla Persona
a federated and privacy-protecting
login system for the whole Web
- 14. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 15. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 16. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 17. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 18. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 19. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
2013
2013
password
password
guidelines
guidelines
- 31. “People want a little
dating before marriage.”
Eric Vishria – Rockmelt
- 43. what if it were a standard
part of the web browser?
- 48. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
- 49. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
- 50. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
- 51. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
- 52. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
- 53. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in
- 59. we can't wait for all domains
to adopt Persona
solution: a temporary
centralised fallback
- 85. def verify_assertion(assertion):
page = requests.post(
'https://verifier.login.persona.org/verify',
data={ "assertion": assertion,
"audience": 'http://123done.org'}
)
data = page.json
return data.status == 'okay'
- 86. def verify_assertion(assertion):
page = requests.post(
'https://verifier.login.persona.org/verify',
data={ "assertion": assertion,
"audience": 'http://123done.org'}
)
data = page.json
return data.status == 'okay'
- 87. def verify_assertion(assertion):
page = requests.post(
'https://verifier.login.persona.org/verify',
data={ "assertion": assertion,
"audience": 'http://123done.org'}
)
data = page.json
return data.status == 'okay'
- 97. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
- 98. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
- 99. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
no API key
needed
- 100. you can add support for
Persona in four easy steps
- 110. To learn more about Persona:
https://login.persona.org/
http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Persona
https://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbook
https://developer.mozilla.org/docs/Persona/Libraries_and_plugins
http://123done.org/
https://wiki.mozilla.org/Identity#Get_Involved
@fmarier http://fmarier.org
- 116. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 117. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 118. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 119. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 120. © 2013 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/
Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/
Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/
Photo credits: