François Marier – @fmarier

the web beyondusernames & passwords

Username:guido

Password:****************

security

bcrypt

bcrypt

per-user salt

bcrypt

per-user salt

site secret

conversionrate

# hits

signup

# hits

signup signup_complete

# hits

signup signup_complete

l o s t cust-omers

existing solutions

client certificates

centralized authorities

distributed

distributedprivacy-sensitive

distributedprivacy-sensitive

simple

distributedprivacy-sensitive

simpleopen source

how does Persona work?

francois@mozilla.com

getting a proof of email ownership

getting a proof of email ownership

authenticate?

getting a proof of email ownership

authenticate?

public key

getting a proof of email ownership

authenticate?

public key

signed public key

you have a signed statement from yourprovider that you own your email address

logging into a 3rd party site

logging into a 3rd party site

Valid for: 2 minutes

wikipedia.org

assertion

logging into a 3rd party site

Valid for: 2 minutes

wikipedia.org

check audience

assertion

logging into a 3rd party site

Valid for: 2 minutes

wikipedia.org

check audiencecheck expiry

assertion

logging into a 3rd party site

Valid for: 2 minutes

wikipedia.org

check audiencecheck expirycheck signature

assertion

logging into a 3rd party site

assertion

Valid for: 2 minutes

wikipedia.org

public key

logging into a 3rd party site

assertion

Valid for: 2 minutes

wikipedia.org

logging into a 3rd party site

assertion

session cookie

how much work does it take?

only 75 lines

only 75 lineshtml – js – python

<head><script src=”https://login.persona.org/include.js”></script></head>

navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.request()

navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

def verify_assertion(assertion):

page = requests.post( 'https://verifier.login.persona.org/verify', Data={ "assertion": assertion, "audience": 'http://123done.org'})

data = page.json return data.status == 'okay'

{ status: “okay”,

audience: “http://123done.org”,

expires: 1344849682560,

email: “francois@mozilla.com”,

issuer: “login.persona.org”}

navigator.id.logout()

navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

1. load javascript library

1. load javascript library

2. setup login & logout callbacks

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

decentralization status

1. identity providers

{ status: “okay”,

audience: “http://123done.org”,

expires: 1344849682560,

email: “francois@eyedee.me”,

issuer: “eyedee.me”}

fallback IdP:

login.persona.org

{ status: “okay”,

audience: “http://123done.org”,

expires: 1344849682560,

email: “francois@mozilla.com”,

issuer: “mozilla.com”}

{ status: “okay”,

audience: “http://123done.org”,

expires: 1344849682560,

email: “francois@mozilla.com”,

issuer: “login.persona.org”}

support for all email providers

2. browser support

navigator.id.*

<head><script src=”https://login.persona.org/include.js”></script></head>

support for allmodern browsers

>= 8

3. assertion verification

https://verifier.login.persona.org

=

Persona is open for business!

To learn more about Persona:

https://login.persona.org/http://identity.mozilla.com/

https://developer.mozilla.org/en-US/docs/BrowserID/Why_BrowserIDhttps://developer.mozilla.org/en-US/docs/BrowserID/Quick_Setup

https://github.com/mozilla/browserid-cookbook/tree/master/pythonhttps://github.com/mozilla/browserid/wiki/BrowserID-Librarieshttps://github.com/mozilla/django-browserid

http://123done.org/

@fmarier http://fmarier.org

© 2012 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.

Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/

Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/

Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/

Photo credits: