A few people like to say that passwords are dead, but the reality is far from it. First of all, we can't get rid of passwords entirely, because the alternatives all suck: physical tokens are easy to lose and retina scans are pretty creepy. What we should focus on is eliminating site-specific passwords. Mozilla Persona was introduced at OSDC last year, but a number of new things have been added to it since. But more importantly, it's still the best shot we have at a decentralized web-wide identity system that works for average users and doesn't violate their privacy. So I'm back to show you what's new and to talk about what organizations can gain from adding native support on their domain. It's time to solve the password problem on the web.

1. You’re still using
passwords on your
site?
François Marier – @fmarier

12. problem #1:
passwords are hard to secure

13. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

14. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

15. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

16. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

17. bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery

18. bcrypt / scrypt / pbkdf2
3
1
0
2
per-user salt
d
r
o
site secret
w
s
s
s
a & lockoutne
p
password
li policies
e
id
u
secure recovery
g

19. passwords are hard to secure
they are a liability

20. ALTER TABLE user
DROP COLUMN password;

21. problem #2:
passwords are hard to remember

24. pick an easy password

25. pick an easy password
use it everywhere

26. passwords are hard to remember
they need to be reset

28. control
email
account
=
control
all
accounts

30. “People want
a little dating
before marriage.”
Eric Vishria – Rockmelt

32. decentralised

33. myid.com/u/francois

36. privacy®

37. existing login systems
are not good enough

38. ideal web-wide identity system

39. ideal web-wide identity system

40. ideal web-wide identity system

41. ideal web-wide identity system

42. what if it were a standard
part of the web browser?

44. how does it work?

45. fmarier@gmail.com

46. why email addresses?

47. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in

48. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in

49. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in

50. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in

51. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in

52. why email addresses?
already federated
people know their email
natural association between person & email
easy to have separate identities
most sites need a way to contact users
no lock-in

53. fmarier@gmail.com

54. demo #1:
http://www.voo.st/
http://bornthiswayfoundation.org
fmariertest@eyedee.me

55. Persona is already a
decentralised system

56. SMS with PIN codes

57. SMS with PIN codes
Jabber / XMPP

58. SMS with PIN codes
Jabber / XMPP
Yubikeys

59. SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts

60. SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates

61. SMS with PIN codes
{
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
}
"public-key": {
"algorithm":
"RS",
"n":"685484565272...",
"e":"65537"
},
"encrypted-private-key": {
"iv": "tmg7gztUQT...",
"salt": "JMtGwlF5UWY",
"ct": "8DdOjD1IA1..."
},
"authentication": "...",
"provisioning": "..."
Password-wrapped secret key

62. decentralisation is the answer, but it's not
a product adoption strategy

63. we can't wait for all browsers
to adopt Persona

64. navigator.id.*

68. we can't wait for all browsers
to adopt Persona
solution: a temporary
javascript shim

69. goal: trusted code
running in the browser

70. login.persona.org

71. localStorage
localStorage.setItem("key", serializedKey);
var serializedKey = localStorage.getItem("key");

72. storage tied to
login.persona.org

73. window.postMessage()

74. postMessage
localStorage
https://login.persona.org

75. Persona supports
all modern browsers
>= 8

76. we can't wait for all domains
to adopt Persona

77. we can't wait for all domains
to adopt Persona
solution: a temporary
centralised fallback

78. demo #2:
http://sloblog.io/
fmariertest@aol.com

79. Persona already works
with all email domains

80. identity bridging

81. demo #3:
http://www.reasonwell.com/
fmariertest@yahoo.com

84. Persona works everywhere

85. lessons learned

86. #1
user testing
is critical

90. #2
nobody wants
to be first

91. “how many users
does Persona have?”

93. 700,000,000

94. #3
if a problem has
been around for a
while, it's probably
a hard one

95. see if you can solve
part of the problem

96. $ ssh francois@myserver.com
francois@myserver.com's password:

98. Persona is a simple
sign-in solution
for the web

99. how simple is it
for developers?

101. <script src=”https://login.persona.org/include.js”>
</script>
</body></html>

102. navigator.id.watch({
loggedInEmail: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

103. navigator.id.watch({
loggedInUser: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

104. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

105. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

106. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

108. navigator.id.request()

112. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

113. eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg
yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY
xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE
xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ
hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE
1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE
5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M
xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE
3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN
mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh
lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY
xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV
kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM
3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV
iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV
tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA
2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI
bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9
sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw

114. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/home';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

115. require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');
$result = $verifier->verifyAssertion($_POST['assertion']);

116. {
status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “francois@mozilla.com”,
}
issuer: “login.persona.org”

117. require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');
$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') {
echo "Hi " . $result->email;
} else {
echo "Error: " . $result->reason;
}

118. {
status: “failed”,
}
reason: “assertion has expired”

119. require_once('Auth/BrowserID.php');
$verifier = new Auth_BrowserID('http://123done.org');
$result = $verifier->verifyAssertion($_POST['assertion']);
if ($result->status === 'okay') {
echo "Hi " . $result->email;
} else {
echo "Error: " . $result->reason;
}

122. navigator.id.logout()

123. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/home';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

125. 1. load javascript library

126. 1. load javascript library
2. setup login & logout callbacks

127. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons

128. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership

129. no
1. load javascript library API key
needed
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership

130. how simple is it
for domain owners?

131. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

132. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

133. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

134. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

135. https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

136. 1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

137. 1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

138. 1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

139. 1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

140. one small request

142. building a new site:
default to Persona

143. working on an existing site/app:
add support for Persona

144. before

145. after

146. after
navigator.id.request()

148. ALTER TABLE user
DROP COLUMN password;

149. To learn more about Persona:
https://login.persona.org/
http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Persona
https://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbook
https://developer.mozilla.org/docs/Persona/Libraries_and_plugins
https://wiki.mozilla.org/Identity#Get_Involved
@fmarier
http://fmarier.org

150. Photo credits:
Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Yubikey: https://secure.flickr.com/photos/knk/3379897261/
Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/
© 2013 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 3.0 New Zealand License.