For our use-case Persona is great. I've personally built the "web account" solution several times for different clients and I did not want to build it again. Persona is the lightest drop-in and easiest to implement solution you can imagine, and it works extremely well.
We've had a couple of issues, but nothing of significance. Mostly these have been us doing things unexpected, i.e. pre-loading user accounts obtained face-to-face and the case of the user@ part of the email address differing from the Persona provided email address.
I personally also wish that persona.js is added to CDNJS to increase the speed by which it's served.
What we found through asking, was that people feel very protective of their Google, Twitter, and Facebook accounts. They will sign in with them, but there's a wariness of doing so as they do not want to be spammed, have things posted on their behalf, etc. These fears mostly apply when people first arrive on one of our sites. We wanted a lower friction to that initial sign-in, and we feel that Persona gives us this.
We also found that on interest-based communities there is a reticence to associate real-identity to the nerdiest of their interests. This meant that not using Facebook and Google is a good thing in our scenario.
One of the things we like about Persona is the user experience. For our product, simplicity and ease are core goals. Persona helps rather than hinders on this front.
We really like Persona and hope that it remains under active development for a long-time.
We are not of the belief that it's failed, simply that it's a slow-burner and needs some marketing support.
My first and only experience with Persona is oddly enough, to log into the Islington CC forum (small world) and I found the whole experience oddly disconcerting. Am I logged into Google or Microcosm? Do I have to stay logged into my Google account? What does firefox have to do with my Gmail account? What is Persona and what do they have to do with anything?
I had lots of questions and none were answered on the nice minimally designed log in page. All of a sudden I'm sent to Google, but I don't want my work account associated with ANYTHING outside of work. Ok, I'm smart, I can just log out and no link will be created. I log in with my personal G account and everything seems ok. But now I have to log out/in again to get back to work.
Why all this trouble? I have a password manager, and it can easily remember another 30 character password. If it gets hacked, the damage is limited to a forum that I occasionally visit. No biggie. But now, everything is linked to everything else and who knows what is happening in the background that I agreed to because I didn't read the small print.
Ok, I'm being a bit dramatic. But personally I don't like services to mixed. That's all it comes down to.
One last thing, you mention that people didn't like associating real identities etc, but the only way I could log in was by associating my real identity from my Google account.
Disconcerting, that's not come up in any of the UX testing or feedback we've received recently.
In our earliest version (last summer) we had pushed the "Sign In with Persona" branding but later moved to just saying "Sign in". But that was caught in UX testing and we did change that so that it was clearer (by saying less) that you were signing in to the site you were on (Islington CC).
> the only way I could log in was by associating my real identity from my Google account
The great thing about Persona is you can use any email you wish to login to something. You can choose to use an email address that is associated with real identity, but just as easily you could've chosen not to.
The advantage Persona supplies is that even if you do choose to use an email associated with real identity, Google (or the email provider, e.g. Facebook) will only see a "Sign in to Persona" event, and will not have additional data revealing that you had signed in to Islington CC (in this case).
Persona effectively acts as a behavioural data firewall that grants you sign-in with email ability, but without leaking your behaviour activity back to the email issuer.
If you have any feedback on how you think we can improve this from our side (the forum software), just email me: david@microcosm.cc
I've yet to write FAQ support documentation, and I think you could help provide a lot of the questions around sign-in for me to answer.
Thanks for the explanation. Maybe my experience was tainted by the myriad times I've been asking to sign in to a service using Facebook, only to be met with a form asking for my name, email and password. So what was all that FB nonsense about then? So to be fair, the Persona procedure was painless in that respect.
Something that would have been helpful would be a bit more information at the first point of contact with Persona. Ok, so I've just gone to the site and clicked the Sign in or Register link, and the pop-up (ugh) that appears doesn't really explain anything. It asks me to sign in with my email. But you don't have my email yet. What am I signing in to? Is this one of those FB logins where you already know everything about me? And where is the registration page I was promised? I was given a choice, but now one of those choices is gone. There's a bit of a disconnect there.
Soldiering on, if I enter a gmail email then Google's presence makes itself known. Why? Did I accidentally click a bookmark or something? Google wasn't mentioned before. Did I fall victim to a xss attack? No way am I signing in to this pop-up asking for the keys to the kingdom. I know I'm sounding a bit thick here, but I'm 100% certain my mother would've bailed by now.
What is missing is some explanation as to why certain info is being asked for, and will it be shared with anyone. I have the option to agree to T&Cs and a Privacy Policy, but I still don't know why. Yes, I could click on the Learn more link at the bottom of the page, but I don't feel I should have to. I just want to register with the forum.
Anyhow, I'll put chicken little back in the pen because I think I'm being kind of harsh. I applaud services such as Persona, but I've yet to use one that I would compel me to integrate it into one of my websites. If I can think of any more constructive criticisms I'll be sure to pass them along. Cheers!
For this service, you can sign in with your email address. If you are using one of the supported email providers, you will be redirected to them to finish signup, otherwise you will be asked to create a Persona account. Your email provider will not know which sites you are signing in to, and we won't know your email password or other data.
I just tried out the forum.islington.cc registration (without being logged in to Google). The way it redirected me to a Google sign in when I gave a gmail address made me think it was going to end up using OpenID at the back end, something I have never used Google for.
Personally, if I had to register for an account on a site that used Persona, I'd create a special barrkel.persona@gmail.com address (or something similar) to firewall it from my other gmail accounts.
> The advantage Persona supplies is that even if you do choose to use an email associated with real identity, Google (or the email provider, e.g. Facebook) will only see a "Sign in to Persona" event, and will not have additional data revealing that you had signed in to Islington CC (in this case).
In this case, it would seem size does matter. If alice@example.com is the first user from example.com to sign in (or first modulus cache of exmaple.com's key at the service) -- example.com will see 1) a sign-in-to-persona-for-alice@example.com in close temporal proximity to a request for it's certificate from the service.
So, if a site already has gmail.com's persona cert on file, google will only see that alice@gmail.com uses persona (and only whenever alice needs a new/refreshed persona session).
I don't think this is much of a flaw, but there definitively is a bit of traffic going back and forth. But much better than with the alternatives (that I'm aware of).
[edit: and obviously the site/service will get the email address as well, but then most other solutions also require the site to get the email address]
I 100% agree with all of this. I think Persona needs some native support in browsers/etc and will succeed. I find it the easiest login system to implement, bar none.
If disposable email providers (mailinator, 33mail, etc) implement it, you will just be able to log in with your disposable email address everywhere. If the browser implements "remember which address I signed up to this site with", it will be the most transparent login system available.
Here's why I won't use it if I have any other option: As an example to see if it's still an issue -- I tried clicking your islington.cc "sign-in or register" button. I'm greeted with a popup saying "We are sorry, but currently your browser is not supported. <firefox logo> Persona works with Firefox and other modern browsers". The browser I'm using? Firefox (ESR 24.whatever is current). Closing the pop-up and trying again worked, eventually. This happens about a third of the time I try to use a persona-based sign-in.
>This meant that not using Facebook and Google is a good thing in our scenario.
That's why there's this idea of a 'username' paired with a stored salted hash of a 'password'. This allows people to have independent accounts per service.
This is true. However, part of the thinking behind persona is that most sites will want to let you reset your password, so they store: salt+password:username:email. Some are being "clever" and use the email as the username -- hopefully paired with a numeric/uuid uid -- so that when you change email providers, you can retain your account. Some might store a phone number for recovery etc. Some require a working email in order to register (to fight spam accounts).
Further, in general most sites will log your ip, be able to match that to your username, and so, unless you're using tor, be able to provide enough information to track you across sites anyway.
For our use-case Persona is great. I've personally built the "web account" solution several times for different clients and I did not want to build it again. Persona is the lightest drop-in and easiest to implement solution you can imagine, and it works extremely well.
We've had a couple of issues, but nothing of significance. Mostly these have been us doing things unexpected, i.e. pre-loading user accounts obtained face-to-face and the case of the user@ part of the email address differing from the Persona provided email address.
I personally also wish that persona.js is added to CDNJS to increase the speed by which it's served.
What we found through asking, was that people feel very protective of their Google, Twitter, and Facebook accounts. They will sign in with them, but there's a wariness of doing so as they do not want to be spammed, have things posted on their behalf, etc. These fears mostly apply when people first arrive on one of our sites. We wanted a lower friction to that initial sign-in, and we feel that Persona gives us this.
We also found that on interest-based communities there is a reticence to associate real-identity to the nerdiest of their interests. This meant that not using Facebook and Google is a good thing in our scenario.
One of the things we like about Persona is the user experience. For our product, simplicity and ease are core goals. Persona helps rather than hinders on this front.
We really like Persona and hope that it remains under active development for a long-time.
We are not of the belief that it's failed, simply that it's a slow-burner and needs some marketing support.