The web beyond "usernames & passwords"
-
Upload
francois-marier -
Category
Technology
-
view
395 -
download
1
description
Transcript of The web beyond "usernames & passwords"
Username:guido
Password:****************
security
bcrypt
bcrypt
per-user salt
bcrypt
per-user salt
site secret
conversionrate
# hits
signup
# hits
signup signup_complete
# hits
signup signup_complete
l o s t cust-omers
existing solutions
client certificates
centralized authorities
distributed
distributedprivacy-sensitive
distributedprivacy-sensitive
simple
distributedprivacy-sensitive
simpleopen source
how does Persona work?
getting a proof of email ownership
getting a proof of email ownership
authenticate?
getting a proof of email ownership
authenticate?
public key
getting a proof of email ownership
authenticate?
public key
signed public key
you have a signed statement from yourprovider that you own your email address
logging into a 3rd party site
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
assertion
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
check audience
assertion
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
check audiencecheck expiry
assertion
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
check audiencecheck expirycheck signature
assertion
logging into a 3rd party site
assertion
Valid for: 2 minutes
wikipedia.org
public key
logging into a 3rd party site
assertion
Valid for: 2 minutes
wikipedia.org
logging into a 3rd party site
assertion
session cookie
how much work does it take?
only 75 lines
only 75 lineshtml – js – python
<head><script src=”https://login.persona.org/include.js”></script></head>
navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.request()
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
def verify_assertion(assertion):
page = requests.post( 'https://verifier.login.persona.org/verify', Data={ "assertion": assertion, "audience": 'http://123done.org'})
data = page.json return data.status == 'okay'
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “login.persona.org”}
navigator.id.logout()
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
1. load javascript library
1. load javascript library
2. setup login & logout callbacks
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
decentralization status
1. identity providers
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “eyedee.me”}
fallback IdP:
login.persona.org
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “mozilla.com”}
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “login.persona.org”}
support for all email providers
2. browser support
navigator.id.*
<head><script src=”https://login.persona.org/include.js”></script></head>
support for allmodern browsers
>= 8
3. assertion verification
https://verifier.login.persona.org
=
Persona is open for business!
To learn more about Persona:
https://login.persona.org/http://identity.mozilla.com/
https://developer.mozilla.org/en-US/docs/BrowserID/Why_BrowserIDhttps://developer.mozilla.org/en-US/docs/BrowserID/Quick_Setup
https://github.com/mozilla/browserid-cookbook/tree/master/pythonhttps://github.com/mozilla/browserid/wiki/BrowserID-Librarieshttps://github.com/mozilla/django-browserid
http://123done.org/
@fmarier http://fmarier.org
© 2012 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.
Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Photo credits: