Passwords are a big problem online and a lot of websites have turned to centralized services to handle logins for them. It's a disturbing trend from a privacy/surveillance point of view, but from a software freedom point of view, it's also turning these proprietary services into core dependencies. That's why Mozilla is building Persona, a new federated and cross-browser system which makes identity a standard part of the browser. It's simple, privacy-sensitive and entirely free software.

1. Passwords suck
but centralized proprietary
services are not the answer
François Marier – @fmarier

2. member number
4061

4. 501c3

5. mission
keeping the web
open & innovative

6. principles
free software
privacy
users in control

7. threat: passwords

8. threat: passwords
password alternatives

9. why?

10. passwords
are hard to
remember

12. re-use

21. not just another
technical problem

25. wanted:
better login solution for
free software developers

27. decentralized

28. myid.com/u/francois

33. privacy®

34. using the web should not
require a Facebook account

36. decentralized

37. decentralized
privacy-sensitive

38. decentralized
privacy-sensitive
simple

39. decentralized
privacy-sensitive
simple
free software

40. in your browser

41. how does it work?

42. fmarier@gnu.org

43. <digital signatures 101>

44. private public

45. public

46. My name is
François Marier
and my email is
too long to fit
on one line.

47. My name is
François Marier
and my email is
too long to fit
on one line.
private

48. My name is
François Marier
and my email is
too long to fit
on one line.
public

49. sign verify

50. </digital signatures 101>

51. fmarier@gnu.org

52. getting a proof of email ownership

53. authenticate?

54. authenticate?
public key

55. authenticate?
public key
signed public key

56. you have a signed statement from your
provider that you own your email address

64. logging into a 3rd party site

65. assertion
mediagoblin.org
Valid for: 2 minutes

66. assertion
mediagoblin.org
Valid for: 2 minutes
check audience

67. assertion
mediagoblin.org
Valid for: 2 minutes
check audience
check expiry

68. assertion
mediagoblin.org
Valid for: 2 minutes
check audience
check expiry
check signature

69. assertion
public key
mediagoblin.org
Valid for: 2 minutes

70. assertion
mediagoblin.org
Valid for: 2 minutes

71. assertion
session cookie

72. Persona is federated &
protects your privacy

73. achieving
the vision

75. email providers
browser vendors

76. email providers

77. fmarier@gnu.org

78. fmarier@gnu.org

79. fallback identity provider

83. persona.org account

84. support for all email providers

85. browser vendors

86. navigator.id.*

90. js

91. support for all
modern browsers
>= 8

92. support for all
modern browsers
>= 8

93. support for free
browsers too

94. email providers
browser vendors

95. using it on your site

97. <script src=”https://login.persona.org/include.js”>
</script>
</body></html>

98. navigator.id.watch({
loggedInEmail: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

99. navigator.id.watch({
loggedInUser: “francois@mozilla.com”,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

100. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

101. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
// do something
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

102. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

104. navigator.id.request()

108. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

109. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/home';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

110. def verify_assertion(assertion):
page = requests.post(
'https://verifier.login.persona.org/verify',
Data={ "assertion": assertion,
"audience": 'http://123done.org'})
data = page.json
return data.status == 'okay'

111. def verify_assertion(assertion):
page = requests.post(
'https://verifier.login.persona.org/verify',
Data={ "assertion": assertion,
"audience": 'http://123done.org'})
data = page.json
return data.status == 'okay'

112. {
status: “okay”,
audience: “http://123done.org”,
expires: 1344849682560,
email: “francois@mozilla.com”,
issuer: “login.persona.org”
}

113. {
status: “failed”,
reason: “assertion has expired”
}

117. navigator.id.logout()

118. navigator.id.watch({
loggedInUser: null,
onlogin: function (assertion) {
$.post('/login',
{assertion: assertion},
function (data) {
window.location = '/home';
}
);
},
onlogout: function () {
window.location = '/logout';
}
});

120. 1. load javascript library

121. 1. load javascript library
2. setup login & logout callbacks

122. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons

123. 1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership

124. you can add Persona to
your site in one afternoon

125. wanna help us
solve the
password problem?

126. add Persona to
your project/site
tell us about your
experience
email one site
asking for it

127. add Persona to
your project/site
tell us about your
experience
email one site
asking for it

128. add Persona to
your project/site
tell us about your
experience
email one site
asking for it

130. To learn more about Persona:
https://login.persona.org/
http://identity.mozilla.com/
https://developer.mozilla.org/docs/Persona/Why_Persona
https://developer.mozilla.org/docs/Persona/Quick_Setup
https://github.com/mozilla/browserid-cookbook
https://developer.mozilla.org/docs/Persona/Libraries_and_plugins
http://123done.org/
https://wiki.mozilla.org/Identity#Get_Involved
@fmarier http://fmarier.org

131. Who's using Persona?

132. identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

133. identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

134. identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

135. identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

136. identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication": "/browserid/sign_in.html",
"provisioning": "/browserid/provision.html"
}

137. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

138. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

139. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

140. identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication page
4. call the provisioning endpoint again

141. Photo credits:
Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/
Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/
Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/
Elephant in room: https://secure.flickr.com/photos/bitboy/246805948/
Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/
Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/
US passport: https://secure.flickr.com/photos/damian613/5077609023/
© 2013 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 3.0 New Zealand License.