Identity systems on the Web are a bit of a mess. Surely in 2013, we would have something else than usernames and passwords for logging into websites. A solution that doesn't require trusting a central authority. It turns out that solving the general identity problem is very hard. Some of these solutions require complicated redirections, an overwhelming amount of jargon and lots of verbose XML. The technology has been around for a long time, but implementing it properly (and safely) is often incredibly difficult. This talk will explore the challenges of the existing Web identity solutions and introduce the choices that we made during the development of Persona, a new cross-browser federated identity solution from Mozilla. It will cover: - a discussion of the complexities and privacy-related concerns that existing identity solutions have - how crypto is used in Persona to provide both authentication and privacy - the Persona federation approach: fully distributed with fallbacks - demos and actual code from sites that have implemented Persona - the basics of the Persona API so that attendees can go out and easily support this technology on their own sites Trying to convince users to pick unique (and strong) passwords for each website is a losing battle. What we're proposing is a standard, built into browsers, that leverages the new security features that email providers are now offering. A simple federated solution to eliminate site-specific passwords.

1. François Marier – @fmarier
Securing the Web
without site-specific
passwords

2. François Marier – @fmarier
F**k all of these
passwords, we can
do better than this!

3. solving the
password problem
on the web

4. problem #1:
passwords are hard to secure

15. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

16. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

17. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

18. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

19. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

20. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
2013
2013
password
password
guidelines
guidelines

21. passwords are hard to secure
they are a liability

22. ALTER TABLE user
DROP COLUMN password;

23. problem #2:
passwords are hard to remember

24. users have two strategies

25. 1. pick an easy password

29. 2. reuse your password

30. negative externality:
sites that don't care about security
impose a cost on more important sites

31. passwords are hard to remember
they need to be reset

33. control
email
account
control
all
accounts
=

34. existing login solutions

35. client certificates

37. centralised authorities

38. existing login systems
are not good enough

39. ideal web-wide identity system

40. ●
decentralised
●
simple
●
cross-browser
ideal web-wide identity system

41. ●
decentralised
●
simple
●
cross-browser
ideal web-wide identity system

42. ●
decentralised
●
simple
●
cross-browser
ideal web-wide identity system

43. ●
decentralised
●
simple
●
cross-browser

44. how does it work?

45. fmarier@gmail.com

46. getting a proof of email ownership

47. authenticate?

48. authenticate?
public key

49. authenticate?
public key
signed public key

50. you have a signed statement from your
provider that you own your email address

52. logging into a 3rd party site

53. Valid for: 2 minutes
wikipedia.org
assertion

54. Valid for: 2 minutes
wikipedia.org
check audience
assertion

55. Valid for: 2 minutes
wikipedia.org
check audience
check expiry
assertion

56. Valid for: 2 minutes
wikipedia.org
check audience
check expiry
check signature
assertion

57. assertion
Valid for: 2 minutes
wikipedia.org
public key

58. assertion
Valid for: 2 minutes
wikipedia.org

59. assertion
session cookie

60. demo #1:
http://crossword.thetimes.co.uk/
fmariertest@eyedee.me

61. Persona is already a
decentralised system

62. decentralisation matters for:

63. decentralisation matters for:
●
choice
●
security
●
innovation

64. decentralisation matters for:
●
choice
●
security
●
innovation

65. decentralisation matters for:
●
choice
●
security
●
innovation

66. SMS with PIN codes

67. SMS with PIN codes
Jabber / XMPP

68. SMS with PIN codes
Jabber / XMPP
Yubikeys

69. SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts

70. SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates

71. SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
Password-wrapped secret key
{
"public-key": {
"algorithm":
"RS",
"n":"685484565272...",
"e":"65537"
},
"encrypted-private-key": {
"iv": "tmg7gztUQT...",
"salt": "JMtGwlF5UWY",
"ct": "8DdOjD1IA1..."
},
"authentication": "...",
"provisioning": "..."
}

72. decentralisation enables
innovation

73. decentralisation is the answer, but it's not
a product adoption strategy

74. we can't wait for all domains
to adopt Persona

75. we can't wait for all domains
to adopt Persona
solution: a temporary
centralised fallback

76. demo #2:
http://sloblog.io/
fmariertest@gmail.com

77. Persona already works
with all email domains

78. identity bridging

79. demo #3:
http://www.reasonwell.com/
fmariertest@yahoo.com

83. Persona supports
all modern browsers
>= 8

84. Persona is decentralised,
simple and cross-browser

85. it's simple for users, but is it also
simple for developers?

87. <script src=”https://login.persona.org/include.js”>
</script>
</body></html>

88. navigator.id.watch({
loggedInEmail: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

89. navigator.id.watch({
loggedInUser: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

90. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

91. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

92. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

94. navigator.id.request()

98. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

99. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/home';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

100. $ curl -d "assertion=<ASSERTION>&
audience=http://123done.org"
https://verifier.login.persona.org/verify

101. $ curl -d "assertion=<ASSERTION>&
audience=http://123done.org"
https://verifier.login.persona.org/verify

102. {
status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “francois@mozilla.com”,
issuer: “login.persona.org”
}

103. {
status: “failed”,
reason: “assertion has expired”
}

107. navigator.id.logout()

108. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/home';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

110. 1. load javascript library

111. 1. load javascript library
2. setup login & logout callbacks

112. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons

113. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership

114. you can add support for
Persona in four easy steps

115. one simple request

117. building a new site:
default to Persona

118. working on an existing site:
add support for Persona

119. we need
your help
to eliminate
site-specific
passwords

120. To learn more about Persona:
https://login.persona.org/
http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Persona
https://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbook
https://developer.mozilla.org/docs/Persona/Libraries_and_plugins
http://123done.org/
https://wiki.mozilla.org/Identity#Get_Involved
@fmarier http://fmarier.org

121. identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

122. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}
identity provider API

123. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}
identity provider API

124. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}
identity provider API

125. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}
identity provider API

126. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

127. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

128. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

129. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

130. © 2013 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 3.0 New Zealand License.
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/
Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/
Australian passport: https://secure.flickr.com/photos/digallagher/5453987637/
Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/
Photo credits: