Securing the Web without site-specific passwords
- 2. François Marier – @fmarier
F**k all of these
passwords, we can
do better than this!
- 14. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 15. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 16. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 17. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 18. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
- 19. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
2013
2013
password
password
guidelines
guidelines
- 45. what if it were a standard
part of the web browser?
- 54. you have a signed statement from your
provider that you own your email address
- 58. Valid for: 2 minutes
wikipedia.org
check audience
assertion
- 59. Valid for: 2 minutes
wikipedia.org
check audience
check expiry
assertion
- 60. Valid for: 2 minutes
wikipedia.org
check audience
check expiry
check signature
assertion
- 70. SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
- 71. SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
Password-wrapped secret key
{
"public-key": {
"algorithm":
"RS",
"n":"685484565272...",
"e":"65537"
},
"encrypted-private-key": {
"iv": "tmg7gztUQT...",
"salt": "JMtGwlF5UWY",
"ct": "8DdOjD1IA1..."
},
"authentication": "...",
"provisioning": "..."
}
- 74. we can't wait for all domains
to adopt Persona
solution: a temporary
centralised fallback
- 102. require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');
$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') {
echo "Hi " . $result->email;
} else {
echo "Error: " . $result->reason;
}
- 104. require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');
$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') {
echo "Hi " . $result->email;
} else {
echo "Error: " . $result->reason;
}
- 112. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
- 113. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
- 114. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
no API key
needed
- 115. you can add support for
Persona in four easy steps
- 125. To learn more about Persona:
https://login.persona.org/
http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Persona
https://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbook
https://developer.mozilla.org/docs/Persona/Libraries_and_plugins
http://123done.org/
https://wiki.mozilla.org/Identity#Get_Involved
@fmarier http://fmarier.org
- 131. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 132. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 133. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 134. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again
- 135. © 2013 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/
Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/
Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/
Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/
Photo credits: