Mozilla Persona

Matjaž Horvat, @mathjazz

Username
Password

#1 Hard for developers

Earlier this morning, The Verge reported that a user in a Russian forum had obtained nearly 6.5 million passwords from the business networking site LinkedIn.

Hackers posted online what they say is login information for more than 450,000 Yahoo users.

#2 Hard for users

#3 Conversion rate

Existing
Solutions

Centralized Authorities

Mozilla Persona

  • Distributed
  • Privacy-sensitive
  • Simple for developers and users
  • Open source
  • Available in 50 languages

Verified
e-mail
address

Proof of e-mail ownership

Authenticate →

Public key →

← Signed public key

Demo

Signing in

Assertion →
(audience, expiry, signature)

← Session cookie

Protocol

Using it on your site

  1. Load JS Library
  2. Setup login & logout callbacks
  3. Verify proof of ownership
  4. Add login & logout buttons

Load JS Library

<script src="https://login.persona.org/include.js"></script>

Setup login & logout callbacks

				navigator.id.watch({
				    loggedInUser: null,
				    onlogin: function (assertion) {
				        $.post('/login',
				            {assertion: assertion},
				            function(data) {
				                window.location = '/home';
				            }
				        );
				    },
				    onlogout: function() {
				        window.location = '/logout/;
				    }
				});
			

Verify proof of ownership

				def verify_assertion(assertion):
				    page = requests.post(
				        'https://verifier.login.persona.org/verify',
				        Data={ "assertion": assertion,
				               "audience": 'http://mozilla.org'})
				 
				    data = page.json
				    return data.status == 'okay'
			

Output from the verifier

				{
				    status: "okay",
				    audience: "http://mozilla.org",
				    expires: 1244849682560,
				    email: "matjaz.horvat@gmail.com",
				    issuer: "login.persona.org",
				}
			

Add login & logout buttons

navigator.id.request()

When login button clicked, open Persona dialog

navigator.id.logout()

When logout button clicked, call onlogout() callback

Ready?

Email providers ✓

login.persona.org

Browser vendors ✓

navigator.id.*

Assertion Verification

verifier.login.persona.org

Ready!

Thank you

Francois Marier

Lloyd Hilaiel

Shane Tomlinson

Dan Callahan