Easy logins for JavaScript web applications

1.
Easy logins forJavaScript web applications François Marier – @fmarier

12.
problem #1: passwords arehard to secure

13.
bcrypt / scrypt/ pbkdf2 per-user salt site secret password & lockout policies secure recovery

14.

15.

16.

17.

18.
bcrypt / scrypt/ pbkdf2 3 1 0 2 per-user salt d r o site secret w s s s a & lockoutne p password li policies e id u secure recovery g

19.
passwords are hardto secure they are a liability

20.
ALTER TABLE user DROPCOLUMN password;

21.
problem #2: passwords arehard to remember

22.
pick an easypassword

23.
pick an easypassword use it everywhere

24.
passwords are hardto remember they need to be reset

26.
control email account = control all accounts

28.
“People want alittle dating before marriage.” Eric Vishria – Rockmelt

30.
decentralised

31.
myid.com/u/francois

34.
privacy®

35.
existing login systems arenot good enough

36.
ideal web-wide identitysystem

37.

38.

39.

40.
what if itwere a standard part of the web browser?

42.
how does itwork?

43.
fmarier@gmail.com

44.
fmarier@gmail.com

45.
getting a proofof email ownership

46.
authenticate?

47.
authenticate? public key

48.
authenticate? public key signed publickey

49.
you have asigned statement from your provider that you own your email address

51.
logging into a3rd party site

52.
assertion wikipedia.org Valid for: 2 minutes

53.
assertion wikipedia.org Valid for: 2 minutes checkaudience

54.
assertion wikipedia.org Valid for: 2 minutes checkaudience check expiry

55.
assertion wikipedia.org Valid for: 2 minutes checkaudience check expiry check signature

56.
assertion public key wikipedia.org Valid for: 2minutes

57.
assertion wikipedia.org Valid for: 2 minutes

58.
assertion session cookie

59.
demo #1: http://www.voo.st/ http://www.debuggex.com fmariertest@eyedee.me

60.
Persona is alreadya decentralised system

61.
decentralisation is theanswer, but it's not a product adoption strategy

62.
we can't waitfor all domains to adopt Persona

63.
we can't waitfor all domains to adopt Persona solution: a temporary centralised fallback

64.
demo #2: http://sloblog.io/ fmariertest@aol.com

65.
Persona already works withall email domains

66.
identity bridging

67.
demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com

71.
Persona supports all modernbrowsers >= 8

72.
Persona is decentralised, simpleand cross-browser

73.
it's simple forusers, but is it also simple for developers?

75.
<script src=”https://login.persona.org/include.js”> </script> </body></html>

76.
navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

77.
navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

78.
navigator.id.watch({ loggedInUser: null, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

79.
navigator.id.watch({ loggedInUser: null, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; } });

80.
navigator.id.watch({ loggedInUser: null, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

82.
navigator.id.request()

86.
navigator.id.watch({ loggedInUser: null, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; } });

87.
eyJhbGciOiJEUzEyOCJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6ImNhZDg2ZDg yNWU0MjBkMGI4Njk5MjM4ZDM5ZTFjYjIyOGMyMTk1NWFiMzcwOTQ1YzExNzBhMzM4NjcyNDM0ZDJmNGY xZDg5ZjFkZjMzNmU1ZjZjZjk2YjhiOTlmMjgyNmFjNTYxZmI1YWMyYTc4ZjNhMzBkNGYxNTVhYjc3ZGE xYmY3MWU4ZGMzNjQ0MmU2NjQ3MmE5Mjg0N2I2YjFlNDRkMTJlM2IwMjVjOWZmNTFmNDdhMWE5ZWYyMGZ hOTVjMTcxZjBkMTYzNGE4ZTY4YTk5NWU3ZjFjY2FiYTJlOTRjYTI3ODE1ZWVkMTcxYjY1YTJmZGQzNTE 1NjY3OTI0ZjUiLCJwIjoiZmY2MDA0ODNkYjZhYmZjNWI0NWVhYjc4NTk0YjM1MzNkNTUwZDlmMWJmMmE 5OTJhN2E4ZGFhNmRjMzRmODA0NWFkNGU2ZTBjNDI5ZDMzNGVlZWFhZWZkN2UyM2Q0ODEwYmUwMGU0Y2M xNDkyY2JhMzI1YmE4MWZmMmQ1YTViMzA1YThkMTdlYjNiZjRhMDZhMzQ5ZDM5MmUwMGQzMjk3NDRhNTE 3OTM4MDM0NGU4MmExOGM0NzkzMzQzOGY4OTFlMjJhZWVmODEyZDY5YzhmNzVlMzI2Y2I3MGVhMDAwYzN mNzc2ZGZkYmQ2MDQ2MzhjMmVmNzE3ZmMyNmQwMmUxNyIsInEiOiJlMjFlMDRmOTExZDFlZDc5OTEwMDh lY2FhYjNiZjc3NTk4NDMwOWMzIiwiZyI6ImM1MmE0YTBmZjNiN2U2MWZkZjE4NjdjZTg0MTM4MzY5YTY xNTRmNGFmYTkyOTY2ZTNjODI3ZTI1Y2ZhNmNmNTA4YjkwZTVkZTQxOWUxMzM3ZTA3YTJlOWUyYTNjZDV kZWE3MDRkMTc1ZjhlYmY2YWYzOTdkNjllMTEwYjk2YWZiMTdjN2EwMzI1OTMyOWU0ODI5YjBkMDNiYmM 3ODk2YjE1YjRhZGU1M2UxMzA4NThjYzM0ZDk2MjY5YWE4OTA0MWY0MDkxMzZjNzI0MmEzODg5NWM5ZDV iY2NhZDRmMzg5YWYxZDdhNGJkMTM5OGJkMDcyZGZmYTg5NjIzMzM5N2EifSwicHJpbmNpcGFsIjp7ImV tYWlsIjoiZm9vQG1vY2tteWlkLmNvbSJ9LCJpYXQiOjEzNzY1MzY0NjM1MTgsImV4cCI6MTM3NjU0MDA 2MzUxOCwiaXNzIjoibW9ja215aWQuY29tIn0.IeUR0_3ayAZkdNSXjF4aaCwSHnHa4X1lzrjX-qkNcPI bXx1hmQQPwg~eyJhbGciOiJEUzEyOCJ9.eyJleHAiOjEzNzY1MzY3MDc2MzUsImF1ZCI6Imh0dHA6Ly9 sb2NhbGhvc3QifQ.NJ8H1qZcWXbXfPJSdgB_mORHQ442ZkY0XYfdQsZZsIjooG7k7qWyVw

88.
navigator.id.watch({ loggedInUser: null, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

89.
npm install browserid-verify

90.
const verify =require('browserid-verify')(); verify(assertion, 'http://123done.org', function(err, email, response) { if (err) { return console.log(err); } if (email) { session.user = response.email; } else { delete session.user; } });

91.
{ status: “okay”, audience: “http://123done.org”, expires:1344849682560, email: “francois@mozilla.com”, } issuer: “login.persona.org”

92.

93.
{ status: “failed”, } reason: “assertionhas expired”

94.

97.
navigator.id.logout()

98.
navigator.id.watch({ loggedInUser: null, onlogin: function(assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; } });

100.
1. load javascriptlibrary

101.
1. load javascriptlibrary 2. setup login & logout callbacks

102.
1. load javascriptlibrary 2. setup login & logout callbacks 3. add login and logout buttons

103.
1. load javascriptlibrary 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership

104.
no 1. load javascriptlibrary API key needed 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership

105.
you can addsupport for Persona in four easy steps

106.
Meteor express connect Jungles

107.
one simple request

109.
building a newsite: default to Persona

110.
working on anexisting site/app: add support for Persona

111.
before

112.
after

113.
after navigator.id.request()

115.
ALTER TABLE user DROPCOLUMN password;

116.
To learn moreabout Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

117.
identity provider API https://eyedee.me/.well-known/browserid: { "public-key":{ "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

118.

119.

120.

121.

122.
identity provider API 1.check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

123.

124.

125.

126.
Photo credits: Top 500passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License.

Easy logins for JavaScript web applications

More Related Content

What's hot

Viewers also liked

Similar to Easy logins for JavaScript web applications

More from Francois Marier

Recently uploaded

Easy logins for JavaScript web applications