Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Report from PyCon Canada
29 views
Skip to first unread message
Dan Callahan
Nov 14, 2012, 11:59:17 AM11/14/12
to
Hi all,
I recently attended and spoke at the first PyCon Canada. The video of my
talk, "Beyond Passwords: Secure Authentication with Mozilla Persona" is
online at:
http://pyvideo.org/video/1566/beyond-passwords-secure-authentication-with-mozilla-persona
Persona got a wonderfully warm reception, and many attendees were
familiar with it from a Django Toronto presentation the previous month.
One attendee successfully added Persona to his site within hours of the
presentation! Generally, people were enthusiastic, felt like we were on
the right track, and were really excited about native integration in
future versions of Firefox and FirefoxOS.
Acting out the protocol on stage got a big round of applause -- can
anyone point me to our animation mavens so we can make a nice video that
explains the protocol?
Most of the resistance I saw stemmed from objections we've seen before.
In particular:
1. Several RPs wanted more customization for the popup.
http://soapboxhq.com/ suggested that just being able to change the hue
of the popup to better coordinate with their customers' sites would go a
long way.
2. Several people thought a popup might be too jarring for users.
As a result, they were hesitant to commit to Persona until it gains more
traction or gets native integration.
3. Common concerns around Persona not Solving Everything.
"What does Persona do to help me avoid spambots?"
"What if I don't trust my email provider?"
"Couldn't you phish users with phony IdP login pages?"
I also ran into a few people that wanted to lump Persona in with other
social buttons on their sites. They thought of Persona as another login
method, *not* a replacement for their existing login system. I'm not
sure how to tweak my message to alter that preconception.
Perhaps most intriguing / novel: three separate people asked me how they
could revoke Persona access from a site, as if they were conflating
Persona with OAuth. I need to tweak the presentation to be more explicit
about how the protocol works (there's nothing to revoke!)
Still, the overall response was great. Choice tweets:
@bourgetalexndre
"Great talk about Mozilla Persona! USE IT! By dcallahan #PyConCa"
@zmanji
"Fantastic talk on Persona at #pyconca. Truly the future of ID and
authentication."
@grahammccarthy
Hey @i_am_brennan, We should add persona to @SoapBoxHQ . Especially for
@callahad's birthday. #pyconca /cc @iandouglas736 @mozilla
Cheers,
-Callahad
I recently attended and spoke at the first PyCon Canada. The video of my
talk, "Beyond Passwords: Secure Authentication with Mozilla Persona" is
online at:
http://pyvideo.org/video/1566/beyond-passwords-secure-authentication-with-mozilla-persona
Persona got a wonderfully warm reception, and many attendees were
familiar with it from a Django Toronto presentation the previous month.
One attendee successfully added Persona to his site within hours of the
presentation! Generally, people were enthusiastic, felt like we were on
the right track, and were really excited about native integration in
future versions of Firefox and FirefoxOS.
Acting out the protocol on stage got a big round of applause -- can
anyone point me to our animation mavens so we can make a nice video that
explains the protocol?
Most of the resistance I saw stemmed from objections we've seen before.
In particular:
1. Several RPs wanted more customization for the popup.
http://soapboxhq.com/ suggested that just being able to change the hue
of the popup to better coordinate with their customers' sites would go a
long way.
2. Several people thought a popup might be too jarring for users.
As a result, they were hesitant to commit to Persona until it gains more
traction or gets native integration.
3. Common concerns around Persona not Solving Everything.
"What does Persona do to help me avoid spambots?"
"What if I don't trust my email provider?"
"Couldn't you phish users with phony IdP login pages?"
I also ran into a few people that wanted to lump Persona in with other
social buttons on their sites. They thought of Persona as another login
method, *not* a replacement for their existing login system. I'm not
sure how to tweak my message to alter that preconception.
Perhaps most intriguing / novel: three separate people asked me how they
could revoke Persona access from a site, as if they were conflating
Persona with OAuth. I need to tweak the presentation to be more explicit
about how the protocol works (there's nothing to revoke!)
Still, the overall response was great. Choice tweets:
@bourgetalexndre
"Great talk about Mozilla Persona! USE IT! By dcallahan #PyConCa"
@zmanji
"Fantastic talk on Persona at #pyconca. Truly the future of ID and
authentication."
@grahammccarthy
Hey @i_am_brennan, We should add persona to @SoapBoxHQ . Especially for
@callahad's birthday. #pyconca /cc @iandouglas736 @mozilla
Cheers,
-Callahad
Melvin Carvalho
Nov 20, 2012, 10:08:29 AM11/20/12
to Dan Callahan, dev-id...@lists.mozilla.org
On 14 November 2012 17:59, Dan Callahan <dcal...@mozilla.com> wrote:
> Hi all,
>
> I recently attended and spoke at the first PyCon Canada. The video of my
> talk, "Beyond Passwords: Secure Authentication with Mozilla Persona" is
> online at: http://pyvideo.org/video/1566/**beyond-passwords-secure-**
> Hi all,
>
> I recently attended and spoke at the first PyCon Canada. The video of my
> talk, "Beyond Passwords: Secure Authentication with Mozilla Persona" is
> authentication-with-mozilla-**persona<http://pyvideo.org/video/1566/beyond-passwords-secure-authentication-with-mozilla-persona>
>
> Persona got a wonderfully warm reception, and many attendees were familiar
> with it from a Django Toronto presentation the previous month.
>
> One attendee successfully added Persona to his site within hours of the
> presentation! Generally, people were enthusiastic, felt like we were on the
> right track, and were really excited about native integration in future
> versions of Firefox and FirefoxOS.
>
> Acting out the protocol on stage got a big round of applause -- can anyone
> point me to our animation mavens so we can make a nice video that explains
> the protocol?
>
> Most of the resistance I saw stemmed from objections we've seen before. In
> particular:
>
> 1. Several RPs wanted more customization for the popup.
>
> http://soapboxhq.com/ suggested that just being able to change the hue of
> the popup to better coordinate with their customers' sites would go a long
> way.
>
> 2. Several people thought a popup might be too jarring for users.
>
> As a result, they were hesitant to commit to Persona until it gains more
> traction or gets native integration.
>
> 3. Common concerns around Persona not Solving Everything.
>
> "What does Persona do to help me avoid spambots?"
> "What if I don't trust my email provider?"
> "Couldn't you phish users with phony IdP login pages?"
>
Thanks for gathering this feedback.
> Persona got a wonderfully warm reception, and many attendees were familiar
> with it from a Django Toronto presentation the previous month.
>
> One attendee successfully added Persona to his site within hours of the
> presentation! Generally, people were enthusiastic, felt like we were on the
> right track, and were really excited about native integration in future
> versions of Firefox and FirefoxOS.
>
> Acting out the protocol on stage got a big round of applause -- can anyone
> point me to our animation mavens so we can make a nice video that explains
> the protocol?
>
> Most of the resistance I saw stemmed from objections we've seen before. In
> particular:
>
> 1. Several RPs wanted more customization for the popup.
>
> http://soapboxhq.com/ suggested that just being able to change the hue of
> the popup to better coordinate with their customers' sites would go a long
> way.
>
> 2. Several people thought a popup might be too jarring for users.
>
> As a result, they were hesitant to commit to Persona until it gains more
> traction or gets native integration.
>
> 3. Common concerns around Persona not Solving Everything.
>
> "What does Persona do to help me avoid spambots?"
> "What if I don't trust my email provider?"
> "Couldn't you phish users with phony IdP login pages?"
>
Been thinking about this third question for a while.
Regarding the third question here. Is phishing a concern. I just went
through the flow on the Mozilla site. On the popup, what should the user
look for in order to determine that they are not giving their credentials
away to the wrong party. For example, in Opera there is a green icon top
left that says 'Trusted'. Is this enough, or would the user normally need
to look at the certificate and ensure that it is either Mozilla or their
email provider?
>
> I also ran into a few people that wanted to lump Persona in with other
> social buttons on their sites. They thought of Persona as another login
> method, *not* a replacement for their existing login system. I'm not sure
> how to tweak my message to alter that preconception.
>
> Perhaps most intriguing / novel: three separate people asked me how they
> could revoke Persona access from a site, as if they were conflating Persona
> with OAuth. I need to tweak the presentation to be more explicit about how
> the protocol works (there's nothing to revoke!)
>
> Still, the overall response was great. Choice tweets:
>
> @bourgetalexndre
> "Great talk about Mozilla Persona! USE IT! By dcallahan #PyConCa"
>
> @zmanji
> "Fantastic talk on Persona at #pyconca. Truly the future of ID and
> authentication."
>
> @grahammccarthy
> Hey @i_am_brennan, We should add persona to @SoapBoxHQ . Especially for
> @callahad's birthday. #pyconca /cc @iandouglas736 @mozilla
>
> Cheers,
> -Callahad
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/**listinfo/dev-identity<https://lists.mozilla.org/listinfo/dev-identity>
>
Ben Adida
Nov 20, 2012, 2:47:28 PM11/20/12
to Melvin Carvalho, dev-id...@lists.mozilla.org
On Tuesday, November 20, 2012 at 11:09 AM, Melvin Carvalho wrote:
>
>
> On 20 November 2012 19:24, Ben Adida <b...@adida.net (mailto:b...@adida.net)> wrote:
> >
> > On Tuesday, November 20, 2012 at 7:08 AM, Melvin Carvalho wrote:
> > > Regarding the third question here. Is phishing a concern. I just went
> > > through the flow on the Mozilla site. On the popup, what should the user
> > > look for in order to determine that they are not giving their credentials
> > > away to the wrong party.
> > >
> > >
> > >
> >
> >
> > The usual SSL security indicator: URL and lock icon, plus now we have the EV Cert that makes it even easier to verify. As new ways to strengthen SSL emerge (CA pinning, etc.), we will adopt them as quickly as we can to further protect users.
> > On Tuesday, November 20, 2012 at 7:08 AM, Melvin Carvalho wrote:
> > > Regarding the third question here. Is phishing a concern. I just went
> > > through the flow on the Mozilla site. On the popup, what should the user
> > > look for in order to determine that they are not giving their credentials
> > > away to the wrong party.
> > >
> > >
> > >
> >
> >
> >
>
>
> [Not sure if you wanted to reply on or off list]
cc'ing the list cause I meant to reply to all!
> Thanks, but is the lock enough? Do you have to check that it's persona.org (http://persona.org) as well as having a lock?
Yes, sorry, I meant *all* existing security indicators, including the URL bar.
-Ben
Francois Marier
Nov 22, 2012, 5:57:12 PM11/22/12
to
On 15/11/12 05:59, Dan Callahan wrote:
> I recently attended and spoke at the first PyCon Canada. The video of my
> talk, "Beyond Passwords: Secure Authentication with Mozilla Persona" is
> online at:
> http://pyvideo.org/video/1566/beyond-passwords-secure-authentication-with-mozilla-persona
I finally had time to watch the whole thing. Well done!
> I recently attended and spoke at the first PyCon Canada. The video of my
> talk, "Beyond Passwords: Secure Authentication with Mozilla Persona" is
> online at:
> http://pyvideo.org/video/1566/beyond-passwords-secure-authentication-with-mozilla-persona
It's a really good idea to show so many sites that use Persona. I also
like how you showed, in your demo, all of the little details like
multiple emails and pre-selecting the last one.
Also your call to action at the end was excellent. I need to steal that
for my next presentations :)
You got a really tough question at the end! The woman that asked about
"fully logging out" made an interesting point: she wants easy
SSO/one-click logins to many low-value sites, but she also wants to
confirm (presumably by entering her password again) every login to
higher-value sites.
I'm not sure we have a good answer for that yet, but it reminds me of
the "mother in law" problem that user research found. (One woman in the
study said that she wants her computer to be safe from her nosy
mother-in-law who once logged into her Facebook account without her
permission while she was in the shower.)
I can think of two ways to offer some level of protection against these
"local attacks":
1. The user agent could let users PIN-protect certain sites. The user
would be forced to enter a PIN to unlock the cert in local storage
before logging into these RPs.
2. Users could use a different IdP for high-value sites. That IdP could
use very short-lived certificates and sessions (e.g. 5 minutes) and
therefore force you to enter your credentials on every site you want to
log into.
I suspect that might be something that DanM has already thought about...
Cheers,
Francois
Dirkjan Ochtman
Nov 23, 2012, 6:22:42 AM11/23/12
to Francois Marier, dev-id...@lists.mozilla.org
On Thu, Nov 22, 2012 at 11:57 PM, Francois Marier <fran...@mozilla.com> wrote:
> I can think of two ways to offer some level of protection against these
> "local attacks":
>
> 1. The user agent could let users PIN-protect certain sites. The user
> would be forced to enter a PIN to unlock the cert in local storage
> before logging into these RPs.
>
> 2. Users could use a different IdP for high-value sites. That IdP could
> use very short-lived certificates and sessions (e.g. 5 minutes) and
> therefore force you to enter your credentials on every site you want to
> log into.
In the current model, all of this seems kind of unlikely. Do you think
> I can think of two ways to offer some level of protection against these
> "local attacks":
>
> 1. The user agent could let users PIN-protect certain sites. The user
> would be forced to enter a PIN to unlock the cert in local storage
> before logging into these RPs.
>
> 2. Users could use a different IdP for high-value sites. That IdP could
> use very short-lived certificates and sessions (e.g. 5 minutes) and
> therefore force you to enter your credentials on every site you want to
> log into.
some email providers are going to treat their email addresses as
low-value while others treat their addresses as high-value? Should I
get an extra email address at a high-security provider just to use as
a Persona login at high-value sites?
Cheers,
Dirkjan
0 new messages