the web beyond "usernames & passwords"
DESCRIPTION
Persona is a new cross-browser login and identity system for the web that is pragmatic, federated, and serves the user. Unlike other popular solutions, it puts a strong emphasis on privacy protection and makes your browser the trusted intermediary. Developed by Mozilla, it is based on the simple idea of users demonstrating ownership of their email address (with a generous serving of crypto magic under the hood). Video: https://www.youtube.com/watch?v=T6Iu7KgiC0A or https://www.youtube.com/watch?v=iZBTc7iEkQYTRANSCRIPT
Username:guido
Password:****************
security
bcrypt
bcrypt
per-user salt
bcrypt
per-user salt
site secret
conversionrate
# hits
signup
# hits
signup signup_complete
# hits
signup signup_complete
l o s t cust-omers
existing solutions
client certificates
centralized authorities
distributed
distributedprivacy-sensitive
distributedprivacy-sensitive
simple
distributedprivacy-sensitive
simpleopen source
how does Persona work?
getting a proof of email ownership
getting a proof of email ownership
authenticate?
getting a proof of email ownership
authenticate?
public key
getting a proof of email ownership
authenticate?
public key
signed public key
you have a signed statement from yourprovider that you own your email address
logging into a 3rd party site
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
assertion
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
check audience
assertion
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
check audiencecheck expiry
assertion
logging into a 3rd party site
Valid for: 2 minutes
wikipedia.org
check audiencecheck expirycheck signature
assertion
logging into a 3rd party site
assertion
Valid for: 2 minutes
wikipedia.org
public key
logging into a 3rd party site
assertion
Valid for: 2 minutes
wikipedia.org
logging into a 3rd party site
assertion
session cookie
how much work does it take?
only 75 lines
only 75 lineshtml – js – python
<head><script src=”https://login.persona.org/include.js”></script></head>
navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: “[email protected]”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.request()
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
def verify_assertion(assertion):
page = requests.post( 'https://verifier.login.persona.org/verify', Data={ "assertion": assertion, "audience": 'http://123done.org'})
data = page.json return data.status == 'okay'
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “login.persona.org”}
navigator.id.logout()
navigator.id.watch({ loggedInEmail: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});
1. load javascript library
1. load javascript library
2. setup login & logout callbacks
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
decentralization status
1. identity providers
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “eyedee.me”}
fallback IdP:
login.persona.org
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “mozilla.com”}
{ status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “[email protected]”,
issuer: “login.persona.org”}
support for all email providers
2. browser support
navigator.id.*
<head><script src=”https://login.persona.org/include.js”></script></head>
support for allmodern browsers
>= 8
3. assertion verification
https://verifier.login.persona.org
=
Persona is open for business!
To learn more about Persona:
https://login.persona.org/http://identity.mozilla.com/
https://developer.mozilla.org/en-US/docs/BrowserID/Why_BrowserIDhttps://developer.mozilla.org/en-US/docs/BrowserID/Quick_Setup
https://github.com/mozilla/browserid-cookbook/tree/master/pythonhttps://github.com/mozilla/browserid/wiki/BrowserID-Librarieshttps://github.com/mozilla/django-browserid
http://123done.org/
@fmarier http://fmarier.org
© 2012 François Marier <[email protected]>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.
Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Photo credits: