taking the pain out of signing users in

François Marier – @fmarier

Taking the pain out ofsigning users in

passwords

problem #1:

passwords are hard to secure

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

bcrypt / scrypt / pbkdf2

per-user salt

site secret

password & lockout policies

secure recovery

20132013

passwordpassword

guidelines

guidelines

passwords are hard to secure

they are a liability

ALTER TABLE userDROP COLUMN password;

problem #2:

passwords are hard to remember

pick an easy password

use it everywhere

passwords are hard to remember

they need to be reset

controlemail

account

controlall

accounts=

“People want a littledating before marriage.”

Eric Vishria – Rockmelt

decentralised

myid.com/u/francois

existing login systemsare not good enough

ideal web-wide identity system

● decentralised

simple

cross-browser

ideal web-wide identity system

● decentralised● simple

cross-browser

ideal web-wide identity system

● decentralised● simple● cross-browser

ideal web-wide identity system

what if it were a standardpart of the web browser?

how does it work?

fmarier@gmail.com

demo #1:

http://www.voo.st/

fmariertest@eyedee.me

Persona is already adecentralised system

decentralisation is the answer, but it's not

a product adoption strategy

we can't wait for all domainsto adopt Persona

we can't wait for all domainsto adopt Persona

solution: a temporarycentralised fallback

demo #2:

http://sloblog.io/

fmariertest@aol.com

Persona already workswith all email domains

identity bridging

demo #3:

http://www.reasonwell.com/

fmariertest@yahoo.com

>= 8

Persona is decentralized,simple and cross-browser

it's simple for users, but is it also

simple for developers?

<script src=”https://login.persona.org/include.js”></script></body></html>

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: "francois@mozilla.com" onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); } onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.request()

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

def verify_assertion(assertion):

page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} )

data = page.json return data.status == 'okay'

def verify_assertion(assertion):

page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} )

data = page.json return data.status == 'okay'

def verify_assertion(assertion):

page = requests.post( 'https://verifier.login.persona.org/verify', data={ "assertion": assertion, "audience": 'http://123done.org'} )

data = page.json return data.status == 'okay'

{ status: “okay”,

audience: “http://123done.org”,

expires: 1344849682560,

email: “francois@mozilla.com”,

issuer: “login.persona.org”}

{ status: “failed”,

reason: “assertion has expired”

}

navigator.id.logout()

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

you can add support forPersona in four easy steps

one simple request

building a new site:default to Persona

working on an existing site/app:add support for Persona

To learn more about Persona:

https://login.persona.org/http://identity.mozilla.com/

https://developer.mozilla.org/docs/Persona/Quick_Setup

https://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_plugins

http://123done.org/https://wiki.mozilla.org/Identity#Get_Involved @fmarier

© 2013 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.

Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/

Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/

Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/

Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/

Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/

Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/

Photo credits: