Change the future

Saturday 3:15 p.m.–4 p.m.

Beyond Passwords: Secure Authentication with Mozilla Persona

Dan Callahan

Audience level:
Intermediate
Category:
Useful Libraries

Description

Mozilla Persona is a decentralized, cross-browser authentication system that completely eliminates website passwords. It's simple, secure, and privacy-protecting. This talk explores the design of Persona with a focus on adding it as a login option to Python-based webapps, drawing from Mozilla's own experience switching many Django (and non-Django) sites away from passwords and to Persona.

Abstract

Persona is a decentralized login system from Mozilla that works on all major browsers and allows websites to completely get rid of passwords, without sacrificing security or a direct relationship with users.

Persona in Context: Passwords, OpenID, and Social Auth

This talk will explain the Persona authentication model as it relates to traditional passwords, OpenID, and social authentication.

The past decade has seen an explosion of new ways to log into websites, especially amongst social providers vying to own users' "identities" in increasingly many contexts. Meanwhile, a vast majority of sites still rely on and prefer usernames and passwords, despite the hassle of storing and managing them.

Persona seeks to combine the best of these extremes, offering a smooth, password-free experience for users and developers while still maintaining a direct relationship between users and sites. It has many similarities to OpenID, but with a stronger emphasis on user experience, user privacy, and ease of implementation. To accomplish this, Persona employs a unique, federated architecture with centralized fallback services that automatically fade away as the system gains traction.

Persona From Scratch in 30 Lines of Code

This talk will demonstrate adding Persona authentication to a Flask-based site in 30 lines of code, and then briefly discuss why framework-specific modules are still useful.

Integrating Persona into a site from scratch can take as few as 30 lines of code. This ease of implementation has produced unique challenges for library authors: just what exactly does a library need to provide if users can roll their own implementations in less than an hour?

Mozilla's own success with a Persona module for Django has demonstrated the value of well thought-out libraries, despite the ease of custom integration. Specifically, more feature-filled web frameworks tend to require greater finesse when integrating Persona.

Preparing for Persona: Lessons Learned

Persona is easy to implement and easy to use, but there are still "gotchas." Mozilla has converted and built many sites which rely on Persona: come learn from our experience.