
New Persona Beta: Millions of Users Ready to Log In using Any Browser - stomlinson
http://identity.mozilla.com/post/47541633049/persona-beta-2
======
sergiotapia
I implemented persona for ASP.Net MVC3 and it was hands down the easiest login
system I've ever built in my career. From a developer standpoint it's very
intuitive, the documentation is great, and I loved it so much I open sourced
my implementation.

<https://github.com/sergiotapia/ASP.Net-MVC3-Persona-Demo>

Please give this a shot! I would only like them to keep more information on
hand, like a first name, or an avatar so I don't pester my user with such
requests.

~~~
groks
I don't think you've actually implemented the protocol. Like most of the other
examples I've looked at, you explicitly check every login attempt with the
hard-coded mozilla verifier. This breaks two of the selling features of
browserid:

1) Your identity provider doesn't know where/when you login because the
relying party (the website) is supposed to cache the identity providers public
key.

2) When identity providers start implementing browserid, it's not going to
make any difference because you're not checking back with the identity
providers website, as encoded in the assertion.

What you've implemented here is more like Microsoft Passport - a single point
of failure through which all logins flow.

So, as a bootstrap mechanism the Persona service fails, because assuming
people jump on the browserid bandwagon, we'll still be stuck using Persona
because all the websites have implemented the protocol wrong (as in this
case).

~~~
sergiotapia
You're correct. This is _not_ a persona provider. It would be more correct to
call it "Here's how you can use Persona in an MVC3 application."

\---

>So, as a bootstrap mechanism the Persona service fails, because assuming
people jump on the browserid bandwagon, we'll still be stuck using Persona
because all the websites have implemented the protocol wrong (as in this
case).

Please elaborate here. You can just switch out the provider (in my case
Mozilla) for another one easy enough. You're not tied down to a particular
implementation.

~~~
groks
That's right, you're not a 'provider', you're a 'relying party' - but you are
unconditionally relying on the bootstrap mozilla service. You're not supposed
to swap that out and rely on some other service, you're supposed to look at
the assertion provided by the browser (or the javascript shim right now, while
we bootstrap). Who you verify the assertion with depends on the user's email
address.

So, if tomorrow Google added support for browserid to Gmail, and jo@gmail.com
tries to log in to your website, he would claim to be jo@gmail.com and pass
you an assertion to that effect. You need to check that with Gmail. Of course,
Gmail being popular you've probably already checked the assertion of many
people claiming to have Gmail logins, so you already have the Gmail key
cached, and can verify the assertion without any http requests to anywhere.

Right now, Gmail does NOT implement browserid, so the assertion which you
receive will be that jo@gmail.com is vouched for by the mozilla browserid
service, so you will end up checking the URL you've hard coded.

But if it's hard coded we can't proceed to the next stage, which is the
distributed promise of browserid. AND, it puts lets less pressure on the likes
of Gmail to implement browserid because no one will be checking
gmail.com/.well-known/browserid.

~~~
seanmonstar
Actually, the the verifier (verifier.login.persona.org) runs code that could
be run on any server. It _does_ check Gmail for the well-known file first, and
then, since not found, uses the fallback of login.persona.org.

As soon as Gmail (or any id provider) implements a well-known file, the
verifier will immediately use that instead.

And the script that does all this _could_ be run on your own server. The only
reason we don't quite yet tell people to do that is to be absolutely sure the
verifier is correct in every step. It's harder to get everyone to upgrade
their own server, so while in beta, we offer the verifier.

~~~
groks
I think this is a bad idea:

You are using marketing terms like "Persona is distributed. Today" (last weeks
blog title) but it isn't, because every auth request flows through mozilla
servers. You are also advertising that it is so simple, the entire website
example is 70 lines of python (recent talk), but it isn't, because you aren't
implementing browserid, you're delegating to the centralised mozilla server.

Advertising that it is distributed and simple does not accurately communicate
the current state of the implementation. Look at the spec:

[https://github.com/mozilla/id-
specs/blob/prod/browserid/inde...](https://github.com/mozilla/id-
specs/blob/prod/browserid/index.md)

> This assertion is a Backed Identity Assertion, as defined above. We call it
> assertion here for simplicity, since the Relying Party typically need only
> pass this assertion to a verifier service without worrying about the
> specific semantics of the assertion string.

It does not say that the centralised mozilla verifier is temporary, but
expected.

This all leads to people getting the wrong impression. As you say, it is hard
to get people to update software on their servers, but they don't even know
that they have to - because it's distributed, today, and simple - so they
aren't going to be looking. Another group of people are going to look at the
spec and implementations and think: what is the point of yet another login
scheme which just pipes everything through mozilla?

This is not going to help the adoption of browserid.

------
OoTheNigerian
Here is my feedback.

Perhaps the marketing of "persona" to consumers should take a backseat. When I
signed in to <http://123done.org/> the pop up* showing "sign in with persona"
confused me for a moment. For a moment, I thought.. "but I do not have a
persona account"

If there is a way for users to just sign in with their email without telling
them how it is done, I am sure there will be even less friction.

Of course, the persona architecture could still be marketed to developers for
integration purposes. But for users, let it just be like magic.

PS: I did not see the Firebase implementation they spoke of. I am still told
to make sure my password has 8 characters. <https://www.firebase.com/signup/>

*<https://www.dropbox.com/s/4ay0qp434rqd0dm/persona.png>

~~~
6a68
The Persona branding is necessary because you _aren't_ creating an account
with the underlying website--you're creating an account with the persona.org
fallback identity provider (that is, unless you're using a yahoo.com email or
another Persona identity provider).

Think about it this way: suppose you create a persona.org account at site X,
then visit site Y which also uses Persona for login. It would look like site Y
recognized you, but how? Seems like an incoherent user experience.

Does this help at all?

Firebase offers a login service which includes Persona alongside Facebook,
Github, Twitter as login options. They've got a demo here:
<http://firebase.github.io/firebase-simple-login/>

~~~
TylerE
You're losing 95% of users right there, including many techies. What's
"Persona" vs "persona.org" vs "Persona identity provider" vs "persona.org
fallback identity provider"

~~~
ricardobeat
I don't think any site using OpenID has a 95% bounce rate because of it.
Persona is the name of the magic, you need a way to tell it from OAuth and
other sign-in mechanisms.

------
macspoofing
I have to say that I'm really loving Mozilla/Mozilla Research these days.
Their heart is in the right place, and their research projects like Asm.js,
Persona, Rust, and Firefox OS are very cool. They are what Google was in 2005.

~~~
PommeDeTerre
Rust is perhaps the only thing that you listed with any real promise. It is
bringing in some good ideas from other programming languages, and it does
appear to be a language that may eventually offer some practical value.

Asm.js is, at best, a very ugly hack. Instead of going in the right direction
and eliminating JavaScript in favor of a proper embedded runtime or virtual
machine, it's just promoting further use of bad (even if widespread)
technologies.

Firefox OS doesn't appear to be anything but a me-too catch-up effort. Nothing
suggests it can truly compete with iOS or Android, never mind the numerous
other mobile OSes out there that are available on far more devices and
actually have at least some users.

Persona is perhaps a good-hearted effort, but it's pretty clear that it isn't
catching on. There are already too many other authentication systems out
there, and many of them have far more traction.

The community as a whole would likely get much better value if Mozilla focused
on the software that many people actually use on a daily basis, like Firefox
and Thunderbird, rather than these side projects that don't really offer much
at all.

~~~
callahad
> Persona is perhaps a good-hearted effort, but it's pretty clear that it
> isn't catching on.

This is news to the Persona team.

~~~
PommeDeTerre
That's unfortunate to hear. I would have hoped that you'd be more aware of its
actual level of adoption.

Taking an objective look at the situation, as somebody who isn't tied to the
project, I just don't see it being used. While so many web sites and
applications allow authentication using Google, Facebook, Twitter and even
some other more obscure providers, I never see Persona listed as an option.

The adopters listed in the article are minor, at best. Given that the
BrowserID initiative has been public for almost two years now, it's not a very
impressive list.

It's easy to write blog articles claiming that "hundreds of millions of Web
users are now ready to log in with just a few clicks", but we just don't seem
to be seeing that actually happening in practice.

~~~
callahad
I contest that GNU Mailman, the Eclipse Foundation, Firebase, the Born This
Way Foundation, and Discourse are hardly "minor, at best." Not to mention
extensive dogfooding within Mozilla itself.

Less flippantly, these things take time. While the initiative has been public
for some time, it's only been in beta for roughly 6 months. It would be
irresponsible for many organizations to jump on board this early, and taking
that as a sign of failure is disingenuous.

~~~
StavrosK
Well, as both a developer and a user, I hope that Persona catches on. I
certainly use it on all my new sites, and preach it whenever I can.

It's definitely still early. Hopefully it will spread quickly.

EDIT: Where's the Firebase signup? I only see a Github and a plain one.

~~~
callahad
Firebase added Persona support to their API for apps built on Firebase. It's
not (yet) supported on their home page.

------
ecaron
Before they push Persona more, can someone walk over to the team that's
running <http://www.getpersonas.com/en-US/> and either disconnect their
servers or lock them to their chairs until they finish the migration?

I understand the pain of rebranding assets, I do. But if you're going to
rebrand to a product your company is already using, it has to be fast. And
Mozilla, the 2 year anniversary is in July...

~~~
potch
The migration is actively underway! The site will be shut down in a time scale
ordering on weeks.

~~~
potch
Correction, getpersonas.com is now decommissioned!

------
NelsonMinar
Persona seems terribly important. And well designed, particularly compared to
the ad hoc social login systems. I don't understand why it doesn't have more
mindshare. Is it not yet ready for use by consumer sites?

~~~
lazyjones
> I don't understand why it doesn't have more mindshare.

Because all they've published so far is API specs and fluffy PR sites that try
to portray it as "oh so much better" without offering any insight about why it
is better. They can claim "more privacy" all day long, but without any details
about what gets stored where and why it is supposed to be safer, they don't
make a compelling case.

Look at this page for example: <https://login.persona.org/about> (the "how it
works" page) - it has 0 details about these claims and unfortunately, we're
already tired of reading how Google and FB respect our privacy. From
"outside", it looks like we need to give Mozilla our (existing) credentials
and trust them to handle them with care. Why should we? I feel safer making
pwgen passwords for every new site I need to register at.

~~~
bzbarsky
Er... "they" have also published the full source code involved (at
<https://github.com/mozilla/browserid> ) and a privacy policy at
<http://www.mozilla.org/en-US/persona/privacy-policy/> that you can compare to
said source code as desired, if you're using Mozilla's identity provider.

As far as the architecture of the overall thing, there are also
[http://identity.mozilla.com/post/7899984443/privacy-and-
brow...](http://identity.mozilla.com/post/7899984443/privacy-and-browserid)
and [http://identity.mozilla.com/post/11145921163/browserid-
desig...](http://identity.mozilla.com/post/11145921163/browserid-design-for-
privacy) and a technical specification at [https://github.com/mozilla/id-
specs/blob/prod/browserid/inde...](https://github.com/mozilla/id-
specs/blob/prod/browserid/index.md) that describes the exact data flow
involved.

And if you read those, it should become pretty clear _why_ this is better for
privacy than the FB or Google login systems. For one thing, the identity
provider is never told that you're logging in.

~~~
lazyjones
Not even the links you posted tell me a) where certificates are stored and how
they are protected, b) what measures are taken to prevent unauthorized use of
those certificates by the ID provider, the browser (plugins?), other entities,
c) how the act of entering an e-mail address is secure (other people may have
access to my computer and know my e-mail address). Admittedly, I didn't watch
the 1 hour presentation video, but I've come across HN-linked presentation web
pages several times and tried to understand these issues every time, the
result was always the same: Mozilla assures me it's all done properly, but
does not provide the relevant details to back up these claims.

Mozilla needs to make a _very_ compelling case to web site owners for
adoption, because FB and even Google has more users and oauth is at least
roughly understood.

~~~
badida
Let's see if I can help provide some answers here:

a) certificates are stored in localStorage for <https://login.persona.org>.
They are very short-lived (hours), so that we don't have to deal with
revocation, since that would likely be impossible on a per-user scale.

b) there's no way you can prevent an identity provider from misusing your
identity. They're your identity provider. You chose them because you trust
them to credential you and not let other folks impersonate you.

b') browser extensions already have full control over your life. That's
something that should be addressed longer term, but Persona is not making this
any worse.

b'') other entities cannot access the localStorage for login.persona.org, so
that should be okay.

c) you're not just entering an email address. You're also proving you own it,
for example by being logged into your Yahoo.com account, or by clicking the
confirmation link we send you. What we're doing is minimizing the number of
steps you have to take to prove you own an email address. But you still have
to own it.

You should check out our documentation, which is quite thorough:

    
    
      https://developer.mozilla.org/en-US/docs/persona
    

I think we've provided a lot of hard data and docs to back our claims, but
we're happy to provide more, of course.

------
Flimm
For this to be adopted, you need to have at least one major email provider
implementing it, at least one major browser, and at least one major website.
If you don't have the three corners of the triangle, people will inevitably
judge Persona by its fallback implementation and will fail to understand the
advantages Persona offers.

The good news is Mozilla have managed to implement a bridge that makes it look
like one major email provider, Yahoo!, implements it.

Now you need the other two corners. Firefox OS is not mainstream enough, why
doesn't Firefox for the desktop implement this natively yet? Isn't the whole
of Mozilla behind this initiative? (Also, why haven't they fully retired the
old usage of the brand Mozilla Persona yet?)

~~~
kyrias
There's no reason for it to be integrated in the browser?

~~~
jordan0day
Browser integration is actually supposed to be one of the core pieces of
Persona. The idea is that by building the Persona login process directly into
the browser (as opposed to it requiring a popup/webpage) then phishing attacks
may be somewhat mitigated.

~~~
Flimm
That, and a better user experience. Have a look at this screenshot, doesn't it
seem obviously more attractive and usable than a pop-up?
[http://www.extremetech.com/wp-
content/uploads/2011/07/firefo...](http://www.extremetech.com/wp-
content/uploads/2011/07/firefox-account-manager.jpg)

------
lifeformed
Can I associate additional data to my profile? A lot of websites I use want to
know my name, nickname, age, avatar-pic, timezone, etc. It would be nice if I
could store it all with my Persona account and selectively allow access to
sites that request it. I could even store my credit card info, and when the
site wants me to fill in my address and such, I just click to allow access to
that data, which can then autofill the forms.

I could even add things like have browsing preference data like "prefers-dark-
on-light-theme", "no-video-or-audio-autoplay", or "no-nsfw-content". The site
can add functionality for these preferences if it chooses to. Does Persona
already have this?

~~~
ozten
No, we don't currently provide any profile information.

We'd love to see more experiments in this space. Get involved
<https://github.com/mozilla/browserid>

------
jaredhanson
This is fantastic! I'm really excited to see Mozilla improving the login
experience for users across the web. It is a problem that is sorely in need of
better solutions.

For the Node.js developers in the crowd, I'm happy to see Mozilla is using
Passport.js (<http://passportjs.org/>) (which I'm the developer of) to power
the OpenID/OAuth dances when doing identity bridging. You can see it in action
at the BigTent repo: <https://github.com/mozilla/browserid-bigtent>

Passport.js can be used in your own applications to easily perform the server-
side part of Persona/BrowserID as well as integrate with or transition from an
existing login system.

~~~
ozten
Jared is also a great project maintainer. He has been very responsive to
questions and stays on top of github issues. Go Passport!

------
jakub_g
Can someone recommend a good article about how Persona exactly works under the
hood? I've seen zillions of news about Persona but haven't grasped the main
concept. Comparison with OpenID will be appreciated also.

Many of articles say that Persona is great and awesome etc. but do not explain
what are the advantages and security implications.

~~~
abhinavg
This is off the top of my head so maybe somebody will correct me, but:

Persona is a login system that cares about your privacy. With social login
systems, the website you are logging into contacts the social login provider
(Facebook/Google+/Twitter/what-have-you) when you attempt to log in. So you
end up leaving a trail of breadcrumbs behind you of every site you visited
(and used a social login on). Further, many people are not comfortable giving
sites access to their social accounts because of privacy concerns.

With Persona, the idea is that your identity provider (can be your email
provider, persona.org , or someone else) will have a key publicly available on
their site. Your browser would generate a certificate that can be verified
against that key. However, since the same key from the provider is used to
authenticate all accounts on that provider, all the provider finds out when a
website contacts it for the key is that _someone_ is trying to log into said
website. Plus, the website could cache the certificate and now the provider
does not know this either.

There is more to this so you're probably better off reading one of the other
links.

~~~
drdaeman
If Persona would care about anyone's privacy, they won't use emails.

Logging in with, say, Twitter account is less secure in aspect Twitter knows
what sites you log in, but more secure in aspect the sites can't spam you
unless you allow them to do so.

~~~
Groxx
I've been thinking about this, and I have come to the conclusion that it's
less of an issue than I thought it was. For a simple reason: the "email
address" you provide is _just_ an identifier. A string formatted as
"user@domain", nothing more.

By _convention_ it's a usable email address, but there is literally nothing
preventing someone from starting up an email-less Persona identity provider.
You'd still log in with your_username@noemailpersona.com, but that's just a
formality that doesn't need to be hooked up to an actual mail server at any
point.

Never using that account to actually communicate would put it on par with any
other auth system you can come up with. Disposable when you want to dispose of
it, and _no need_ to ever dispose of it unless you want to. The whole issue
with some people changing their email addresses for spam-fighting / inbox-
cleaning purposes is a non-issue with this kind of an account.

~~~
drdaeman
This is correct, but the whole thing is marketed as email address, so it will
be used as an email address, i.e. means of contacting me.

Now, consider I want to try some service I don't trust. I sign in with a
email-looking identifier (which doesn't work as email address) and use the
site for some time. Eventually, I become fond of this service and want it to
start contacting me. With 123done.org I can't do this, nor at the
mineshafter.info, nor at crossword.thetimes.co.uk. Trovebox looks broken to
me, so can't tell it works, and I was lucky with voo.st, as it allowed me to
add more accounts. Don't know more sites using Persona. Considering, today
when you register with only Facebook or Google account relatively many sites
don't let you change that binding in the future, it's very likely the
situation with Persona will be the same.

~~~
Groxx
Hopefully, the existence / use of non-emailable browserid providers would
encourage sites to accept alternate / custom 'primary' email addresses. It's
definitely a chicken-and-egg problem though, and far from guaranteed that it
would be resolved happily. And I'm in complete agreement on the marketing, and
it's a problem for this setup - the system is young though, maybe this can be
changed.

Though honestly I suspect browserid would encourage this _anyway_ , since
people _are_ likely to use their primary email address, and they _are_ likely
to change to a different address in the future. If sites want to keep people
through such a change, they'll want to allow changing it (since I doubt I'm
alone in resenting sites that require me to maintain an address I don't use.
resentment isn't good for retention).

~~~
drdaeman
Found out that Persona team do encourage this:
[https://developer.mozilla.org/en-
US/docs/Persona/The_impleme...](https://developer.mozilla.org/en-
US/docs/Persona/The_implementor_s_guide)

Personally, I wouldn't call email addresses identities, and just say they're
credentials. But Mozilla clearly has another idea on what the identity is.

------
TomGullen
I do see the huge potential benefits of the system but have a couple of
concerns.

I'm concerned that a 'one password' for everything can be more of a liability
if your password is stolen/lost and make phishing potentially more lucrative.

Also concerned about a centralised password store - people make mistakes and
if there was some DB leak/hack it could be damaging as it would not be
contained within one system (if I've understood how it all works correctly).

~~~
menny
Persona should add two-factor authentication.

For that matter, any open-ID or similar technology should add that.

~~~
AndrewDucker
Persona is only handling authentication temporarily.

Once email providers start providing their own Identity Providers then the
security falls entirely on them.

For instance, once GMail starts being its own authenticator, my two-factor
authentication there will kick in.

~~~
callahad
Identity Bridging will eventually get 60-80% of users functionally off of our
fallback and onto their provider's native authentication paths, but I do
wonder if the Persona fallback support two-factor auth natively for the
remaining 20-40% of users.

Thoughts?

------
Bjoern
Sorry crawled up from under a stone here. Asked myself how is this different
from OpenID, then I found this (fyi).

[http://identity.mozilla.com/post/7669886219/how-browserid-
di...](http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-
openid)

------
darxius
I haven't been keeping up to date with Persona, but doesn't this open a window
for email account breaching? I can picture some malicious websites mocking the
"Sign in with persona" process and gaining the email AND associated password
for that account without much trouble. Unless I've misunderstood Persona's
point and the password is different from the user's email password.

~~~
ozten
Our team has thought a lot about this.

There are a bunch of angles to answer this from.

Short answer (assuming native browser, native webmail provider): The malicious
website would have to fake browser chrome and fake the user's webmail login
flow.

Long answers: Search through the mailing list and get involved!
[https://groups.google.com/forum/?fromgroups#!forum/mozilla.d...](https://groups.google.com/forum/?fromgroups#!forum/mozilla.dev.identity)

~~~
w-ll
What if I just want to collect emails and passwords, and with a free cert and
a funky domain harvest (email, password)'s? I thought the whole point was to
be password less?

Second, I wanted to play a crossword puzzle. I click login and am greeted with
a popup window, I put in my email, then it asks for a password (ok whatever).
So now I have to go to my email, and it says that I click the link and can go
play the puzzle, but then it takes me to some persona account manager thing. I
go back to my email, click the link again, this time with an error an no
puzzle :(

Whats new here? That you guys plan is to just store logins for people? Do you
share my email with the webapp I wanted to use? Seriously, whats new here?

~~~
callahad
Could you try going back to the crossword and trying to log in?

If that doesn't work, it sounds like you hit a bug -- could you file that at
<https://github.com/mozilla/browserid/issues>, please?

The password stuff was because your email provider doesn't support Persona's
protocol, so it fell back to asking Mozilla to validate your identity with a
challenge email (and a password, so you don't have to use a challenge email
when you come back next time).

------
haddr
Just one privacy question: Imagine If I log in using the same email to
Service1 and post some comment. And later, using the same identity I log in to
Service2 to post some pictures. Does Service1 and Service2 (imagine the share
some data) know that it was the same person?

PS. Good work, it looks quite convincing!

~~~
SteveArmstrong
They both know it was the validated owner of user@example.org, so if Service1
and Service2 compare their users, they will see the same e-mail address.

------
davecap1
I like Persona a lot and I would love to implement it on some of my sites, but
I wonder how to best describe what it does to the average user. "Sign in with
Persona" will probably look just as bad as "Sign in with Facebook"...

~~~
ozten
"Sign in with your Email" is pretty clear.

via <https://developer.mozilla.org/en-US/docs/persona/branding>

~~~
davecap1
Ah thanks for that

------
scragg
I tried to log in to this site <https://current.trovebox.com/> which was
linked on the Persona home page: <http://www.mozilla.org/en-US/persona/>

I tried to use my gmail address and it gave me this:
<http://dl.dropbox.com/u/13941904/persona.png> Am I just making up a password
for a Persona account and it's using my email address as the user id? I can
see how some people would type in their gmail password in by mistake.

~~~
unhammer
I found this bit confusing too, but in a different way.

The first time around, I knew I was making up a new password, just not where
it would be stored.

Then much later I used a different computer (but firefox sync'ed) and tried
logging in to Persona, got asked for a password, and thought "oh, so now I
make up a new one because it's a new browser and this is BrowserID? Where is
this password stored anyway?"

I'm guessing that password is stored on persona.org, not in my sync profile,
but even after reading <http://lloyd.io/how-browserid-works> I still find this
one point confusing.

EDIT: I now see that the creation bit has a "verify" field whereas the sign-in
bit has only one field, I guess that should have been my hint to use the same
password as before. I'm still wondering though how it works when you have
several email accounts on one browser, do they all share the same password?
Does persona.org know that I have all those email addresses?

------
mixedbit
Congratulations to the team, keep up the great work!

------
weisser
Would Google ever allow this work with Gmail? Since they are trying to get
sites to adopt the "sign in with google" option I'm curious if they would get
behind this initiative.

~~~
badida
You should tell them you'd like them to :)

------
bluehex
I clicked on the first link, in the announcement of one of their adopters "The
Eclipse Foundation" (actually their Orion project: <https://orionhub.org/>),
to see what the sign in flow was like. I already had a Persona account from
the early announcements but wanted to see it on a real site.

The experience was bad. I signed in with Persona on Orion to be greeted with
"There is no Orion account associated with your Persona email. Please register
or contact your system administrator for assistance." Isn't the whole point
that I don't need to register?

I clicked the register button to see what more it would require and they
wanted a user name, password, and email. With such a poor integration the
whole idea of not having to remember another, username and password is lost
isn't it? Obviously this particular failure is the fault of the integrating
site and not Persona which seems really cool.

Screen shot after logging in with Persona; then after clicking register:
<http://imgur.com/a/WCKnh>

~~~
callahad
Thanks for beinging that up. The specific implementation at OrionHub is Not
Ideal -- they should kickstart account creation when you sign in with Persona,
like at <https://voo.st> or <http://sloblog.io>

I'll reach out to the folks over there and see if that can get that fixed in
their next release.

------
antninja
I don't like Persona, personally. Email is not an identity. When we connect
with email and passwords, both fields are keys (in the open-the-door
metaphor). To make the password a secret key, we can't check it for uniqueness
so we need a less secret key that will be checked for uniqueness. I think it's
important that users can easily modify both keys without loosing their
identity.

------
alexangelini
Does this work yet with Chrome on iOS? The last persona enabled web site I
tried, simply threw an error when using the Chrome app.

EDIT: Here is a link to the progress on this issue, it was moved to the next
beta <https://github.com/mozilla/browserid/issues/2034>

~~~
AndrewDucker
Here's the list of supported browsers: [https://developer.mozilla.org/en-
US/docs/Persona/Browser_com...](https://developer.mozilla.org/en-
US/docs/Persona/Browser_compatibility)

------
shared4you
>> type in email, login to yahoo...

Wait. So, my email provider (Yahoo) can now keep track of _every_ website I
login to, if he wants? How can I stop Yahoo being the middleman?

Second question, if an attacker knows my Yahoo password, can he potentially
login to _all_ Persona-powered websites with my email then?

~~~
badida
No, because Persona mediates, and Yahoo only knows that you're using your
Yahoo identity with Persona, nothing more. That's a key privacy property of
Persona.

However, if you use the "login with Yahoo" button (or Google or Facebook),
then yes, they _can_ track all of your activity.

To your second point: great question! No, the attacker cannot. We still
protect your other email addresses with a Persona password.

~~~
human_error
> Yahoo only knows that you're using your Yahoo identity with Persona

But Yahoo still knows that I'm on that website.

~~~
ozten
How?

------
daphneokeefe
So I can log in everywhere using the exact same username? This will make it SO
much easier for the user data trackers to capture and aggregate all of the
information they can about me. I think I'll take a pass.

~~~
ozten
You can choose any email address you control. Persona doesn't force you to use
one identity.

Sites that use Facebook connect on the other hand...

~~~
pekk
Nowadays you can't get a gmail account without verifying using a phone
number...

~~~
unhammer
Good thing email != gmail, then.

------
enygmadae
If anyone's curious about using PHP and jQuery to integrate it into their
sites, check out this article I wrote up: [http://websec.io/2012/10/01/Using-
Mozilla-Persona-with-PHP-j...](http://websec.io/2012/10/01/Using-Mozilla-
Persona-with-PHP-jQuery.html)

It's got curl and streams examples so it should cover 95% of the PHP installs
out there. Its crazy how easy it is to drop in and implement...Mozilla's done
a great job with it so far. I look forward to more integration of it in the
future.

------
sixbrx
The login on the Persona site (<https://login.persona.org/signin>) doesn't
seem to work for me, using my Yahoo account. It pops up the Window, I login to
Yahoo, that little window goes away, then ... nothing else happens. If I click
"verify" again, the little window pops up momentarily and then just goes away.
Is it supposed to actually do something, or was that the whole demonstration?

~~~
callahad
I've filed a new bug for this:
<https://github.com/mozilla/browserid/issues/3225> Could you please chime in
with your browser, version and OS over there?

------
troyinjapan
When it works with Gmail, then the world gets better.

~~~
callahad
Though we might need a month or two to get a few last details ironed out, an
identity bridge for Gmail is absolutely coming soon. Until then, we wanted to
soft launch with a single bridge (Yahoo) before throwing the switch for
everyone.

------
fiatpandas
Oh neat, it seems my current Firefox (20) works with Persona now when third
party cookies are disabled. This was a huge problem before when I was playing
around with it a few months ago (it would flat-out never properly authenticate
when I was testing it before). Didn't think the new cookie policy would roll
out of testing so quickly.

------
dilipray
So, openid by firefox is called persona? I would like to use google, twitter.
What are the special features of this? I don't think anybody would like to use
firefox OS. But it's good, but it has a heavy competition in the future.

~~~
TheCoelacanth
1\. Privacy: the identity provider can't tell what site you are logging in to.

2\. It's decentralized: any email provider can provide Persona authentication
for the email addresses that it handles. You don't have to rely on Mozilla to
do this except as a fallback for email providers who don't support Persona.

------
pyxy
Sometimes I create accounts with email address like me+thissite@gmail.com. It
is handy for filtering emails from thissite later.

Will this great feature of email (SMTP?) be available to me with Persona? I
mean email address synonyms.

~~~
unhammer
I already have three such aliases in my Persona account. I'd say Persona makes
it easier to use the me+thissite@fastmail.com method. Of course, if you add a
hundred such, you'll get a very long list to click through when you log in …

------
ppierald
The concept of putting <script src=> on my login page skeevs me out more than
a little bit. This is a major security hole that won't be patched until there
is native support in the browser.

~~~
badida
or until we give you a library you can audit and host yourself, which we're
working on.

------
hammock
> Ting, Tucows’s mobile phone service

Off-topic, but wow. Blast from the past. Tucows is still around, and now has a
mobile phone service! That was my go-to place for shareware games when I was a
youngin'.

------
Ygg2
Any plans to build this into Firefox? I could definetely see this as some kind
of account to sync our Firefox, better browser integration.

IIRC Firefox had a plan for BrowserID something along these lines.

~~~
callahad
Yep! The Persona implementation of BrowserID is already built into FirefoxOS.
It should come to Desktop Firefox later this year.

------
laserDinosaur
I'm confused - What is the difference between this and sites that let me login
with my Google account?

~~~
callahad
Persona works with any email address, so the major difference is that you can
get the "Sign in with Google" experience, with just one button, but without
being forced to choose (and phone home to) Google.

------
robert-wallis
Why promote Yahoo!'s email service? They still don't use SSL after you are
logged in right? Sending your plaintext session cookie over the net, allowing
people in your coffee shop to hijack your email. Nobody should be encouraging
people to keep or get Yahoo email accounts.

~~~
robert-wallis
Just checked, you can now enable SSL, but by default it is not enabled. No
doubt most people don't have it on. Therefore, Yahoo is still an insecure
email service.

------
kristofferR
Wow, I thought Personas were just stupid themes for Firefox, but this is
actually pretty interesting.

------
jokoon
can somebody explain to me why this is so much better than openid ?

~~~
callahad
There are a plethora of links elsewhere in this thread answering that exact
question, but in brief, the developer experience, user experience, and privacy
model are all dramatically better.

------
huhtenberg
Please, guys, change the pastel orange background of the blog to something a
bit more serious. It gives wrong first impression and starts things off the
wrong foot.

~~~
riquito
Blue or grey may be better suited to you? <https://developer.mozilla.org/en-
US/docs/persona/branding>

~~~
huhtenberg
I was referring to #FFFBED of the blog background.

------
artursapek
Why are they shitting on social sign-in when this works the exact same way,
but with email providers? You still need a pop-up that takes you to several
domains and makes you click Yahoo's "Accept" button.

I can see the confidence people might get from the added layer of Persona
talking to the external service as opposed to the website that you've never
been to before (given the Persona brand builds lots of trust), but the UX is
still just as clunky and awkward.

~~~
ozten
Directly from the article:

Julius Schorzman of DailyCred, the instant CRM package for any web site,
implemented Persona and remarked “We’ve seen from our internal metrics that
more than 70% of users still prefer email and password authentication over
social log-in like Facebook. Implementing Persona is actually easier than
Facebook Connect, or any OAuth implementation we’ve seen.”

People want control over their identity on the web. Social sign-in doesn't
meet this need.

~~~
cinquemb
I'm personally not a big fan of social sign in, and i doubt i'm going to use
persona (at this time).

Persona seems like to me kinda like what the chinese are doing with requiring
people to use .gov ids on the web. Sure in china it will be by force and here
it will be opt in, but in my eyes the result will be the same: making it
easier to track people across the web.

I don't feel like persona solves the ability for a person to have control over
their identity on the web any more than people do now, maybe just offer the
same utility of social logins without trusting 3rd party(?).

Are all persona users data stored in a central location (besides websites that
have multiple users sign up through persona?)

~~~
takluyver
As I understand it, there's nothing to stop you using a separate Persona ID
for each site you visit, and none of your IDs has to be tied to your real life
identity. But most people already give the same username and same e-mail on
loads of different websites, so we're happy to carry on doing that.

For now, most Persona users are stored in a central location by Mozilla. The
idea is that e-mail providers take over authenticating users, so eventually
there should only be a few users that Mozilla stores credentials for. I'm
hoping that GMail will add support soon.

~~~
cinquemb
Hmm, I can see how this would be better than using facebook connect for the
risk adverse (though I must question that if one is using something like
facebook connect or google whatever in the first place).

But most web users aren't risk adverse, and I question the utility this will
have over facebook connect when using it in some kind of application that the
user wants to use that requires some kind of social data in order to get the
most out of the app.

