
Open Letter to Mozilla: Bring Back Persona - StavrosK
http://www.stavros.io/posts/open-letter-mozilla-bring-back-persona/
======
SwellJoe
I hate that the best user experience for logins is "Login with facebook" or
"Login with Google". I don't want to impose that privacy failure on my users,
but I also don't want to impose the annoyance that is "Sign up with a
username, email address, and password". Offering all of the options is also a
compromise that complicates the user experience.

Now, here's the sad thing, for me: I didn't even know Persona _existed_ until
its demise was being discussed on HN and reddit. Persona is exactly what I
want for my users and my sites; and for my own use of the web. And, I didn't
even know it was an option until it stopped being an option.

In short: I strongly agree. Mozilla has to focus resources on areas where it
can have the biggest impact on privacy and the open web. This is one of those
areas.

I hated to see Thunderbird dropped from the Mozilla roster, as it is my mail
client of choice, but I understand where they're coming from. I hated to see
FirefoxOS end, but I never got to use it, and it seems to have been doomed
from the get-go by poor market fit and difficulty competing with the three
biggest tech companies in the world in a market where money and influence play
a role in which devices get into users hands. But, Persona is exactly the
right kind of thing for Mozilla to be doing, and there's no reason they can't
do it effectively, and without a huge amount of resources.

~~~
manigandham
Side note: usernames should just be emails these days, they're unique and save
all the effort of needing another made up name.

~~~
scrollaway
Theoretically yes, but it's not as simple as that. Every identity can have
more than one email associated with it, and emails can change over time. So
"username == email" is fine as long as the concept of a username mutating is
fine.

~~~
manigandham
I don't see a problem, it just means you can login with multiple emails then.
They're still unique to you. LinkedIn and Facebook and other services already
do this.

A username/real name can still be used as the "name" if this is an online
community or something similar.

~~~
kbenson
LinkedIn and Facebook can do this because your email is not your username.
There likely isn't really a username in those systems, just a user id. Almost
all systems have a user id, but the distinction here is slightly different.
Instead of a user record which has an id, username and possibly full name,
Facebook likely has a user record with an id, a (display) username, and then
there is a separate set of auth records with the multiple ways you can
authenticate to the account, such as emails and passwords, API tokens, phone
numbers, etc.

It may not sound like a big distinction, but there _is_ a big distinction
there. Instead of your username being your email address, they've abstracted
the authentication from the core user record such that usernames are not used
for authentication, so don't have to mutate if the authentication identifier
(email address, phone number) changes, just some auth settings. This is
obviously a much more extensible and robust way to deal with authentication
over time, but it's also obvious it's much more complex than a simple
username/password pair.

~~~
nileshtrivedi
You are describing the tripartite identity pattern:
[http://habitatchronicles.com/2008/10/the-tripartite-
identity...](http://habitatchronicles.com/2008/10/the-tripartite-identity-
pattern/)

~~~
kbenson
For the most part. My example was more a bipartite pattern, because I was
covering the authentication aspects, not the entire identity structure (which
I believe Facebook and LinkedIn would implement as the article outlines). For
a system where you don't need to track multiple social identities, and where
you interact within that system through your identity on that system, that's
probably enough.

------
Osmose
Disclaimer: I work for Mozilla, I maintain django-browserid (and StravosK is a
valued contributor <3), and I have implemented Persona on _many_ sites. This
is all just my own personal opinion.

I was very bullish on Persona early on, but the fact of the matter is, _we
failed_. And not just because (as I feel is being implied) some higher up
suddenly came over and asked for an unreasonable amount of adoption for a
revolutionary product.

We failed for a thousand reasons. It should've been supported directly within
the Firefox chrome ASAP. It had branding different than the site you logged in
to and was in a popup[1]. It took the name of another Firefox feature that
users already knew about. Because the team was experimenting fast, the code
quality of the service was such that outside contribution to it (or even
cross-team contribution internally) was hard to impossible. There was no (or
very limited) metadata available for things like a shared avatar or display
name.

We had enough time to do these things, but we didn't. The team accomplished
something really amazing, but it wasn't enough, and most importantly, _putting
more effort into what already existed was not going to work_. This idea that
Mozilla can just turn around and throw effort at Persona and make it win now
is, IMO, wrong.

Identity needs more experimentation, that much is certain. But harping
bringing back Persona in particular is beating a dead horse. We need a
successor or a new project.

[1] Not only did this make Persona look _incredibly sketchy_ without a lot of
priming users, it had a major privacy issue of leaking your identity provider
and relying party to Mozilla via a centralized iframe we host. A mailing list
thread among the Persona devs and community failed to find a solution to this.

~~~
scrollaway
I agree with you on most of this. And yes, a "Persona 2.0" should really just
take the Persona lessons and learn from them, avoid the mistakes.

That's also why I mentioned in my other reply that I'd be willing to help a
project that has a chance to succeed - and that means being lead by someone
who has themselves learned all the lessons from Persona. Someone who was on
the original dev team.

But this also needs backing from Mozilla, or a corporation like mozilla (there
aren't many).

While a lot of devs, including Mozilla devs, agree that Persona needs a
successor... there's no sign of any such backing.

~~~
igravious
> (there aren't many)

Because this is so important maybe it should be left to just one entity to
run. Ideally a federated identity login thing should be backed by a plethora
of orgs.

Let's make a list?

Redhat, Linux Foundation, Raspberry Pi, Ubuntu, Mozilla, LibreOffice, Eclipse,
GNU, ... ?

~~~
scrollaway
I could see a joint effort, similar to what happened with Let's Encrypt. The
players who benefit are different though so it's harder to get the same kind
of pull.

------
scrollaway
> _I don’t know if something like a Kickstarter campaign to raise some money
> to pay for engineer time would help sway Mozilla at all, but I’m perfectly
> happy pledging a few hundred dollars and running the campaign, if necessary.
> I just really want to see Persona succeed._

I mentioned this by email, but I'll repeat it here:

I believe in the design behind Persona. I believe a well structured, free
authentication provider, is one of the core pillars of a _free web_ , which is
exactly what Mozilla claims to stand for.

I believe in a free web and I'm also willing to put my money where my mouth
is. I'm ready to pledge not just my money but my time. I am willing to
volunteer my skills as a developer, UX designer and my experience leading FOSS
projects to Persona, or a Persona-like project that has a chance of
succeeding. If you are involved in this, feel free to email me (see my profile
for a point of contact).

I invite others willing to do the same to say so here.

~~~
StavrosK
Did I ever get back to you on that with the update?

For people not in the loop: I would also like to pledge my time in developing
a Persona or Persona alternative. I'm just a bit apprehensive on such a
project's chances if it weren't backed by a big company like Mozilla. Then
again, maybe we should just go for it.

~~~
scrollaway
You did not :) Have you talked to Dan Callahan yet?

------
buro9
Anyone who wants to see a demo of it, just sign-in here (top right):
[https://login.persona.org/](https://login.persona.org/)

Anyone who wants to see how easy it is to deploy (JS on your page, a button,
and callback verifier on your server): [https://developer.mozilla.org/en-
US/Persona/Quick_Setup](https://developer.mozilla.org/en-
US/Persona/Quick_Setup)

Anyone who wants to see it in action:
[https://www.lfgss.com/](https://www.lfgss.com/)

I love everything about Persona except for the fact that Mozilla are no longer
supporting a team around it, and it was given to the community in almost an
abandon-ware fashion.

The idea that this could have made an impact faster is laughable, choosing an
auth provider is such a slow process requiring considerable points of trust to
reinforce it... one of the most significant points of trust was Mozilla
itself, but it also needed a social reinforcement as more people adopted it.
Mozilla didn't give Persona the time it needed.

My criticisms of Persona are nothing to do with the fungible nature of email
as identity, which I think is OK enough in principle (it's no less identifying
than anything else and changes less frequently than a phone number), but to do
with:

1) The way Persona wants to centrally log-out from all sites, when a user's
experience is that they can sign-out from one site and remain signed-in on
another.

2) The lack of 2FA in the default instance they shipped/supported.

3) Some of the phrasing and language confuses users, especially after changing
to Persona. i.e. They were still a user on my site identified by email
address, but Persona would declare that they were not recognised... so I'd
have to spend time telling the user to ignore that and sign-in anyway.

The core product though, was exactly what the web needed, and exactly what I
needed for all of the sites I run.

~~~
StavrosK
To address some of your points:

1) That is completely controlled by the site owner. In my sites, for example,
I just disabled the Persona JS while the user was logged in, so there was no
global log-out possible.

2) I believe the bridge was just a proof of concept, with the intention of
email providers supporting Persona directly so all the security could be
implemented there. I know you said "default bridge", but my side-project here
supports 2FA: [https://persowna.net/](https://persowna.net/)

3) That is very true, some UX changes were necessary, but imagine if the
browser itself could just pop up a window saying "do you want to log in to
this site using your email address? Yes/No", done.

~~~
aftbit
If you're so supportive of Persona, why don't you make your work in the area
(persowna.net) FOSS?

~~~
StavrosK
I just might.

------
xiaomai
Mozilla shutting down Persona was one of my biggest internet-related
disappointments this year. It seemed like the perfect OpenID replacement (that
might actually get used by normal people). Bring it back please!

------
darklajid
I've hit the upvote button, tweeted Stavros that I think this is awesome - but
I still want to document my support with a post.

I don't have a FB account and don't use my Google account a lot. I should
really delete the latter.

But it would be so much easier with Persona. Yes, a lot of sites won't adopt
it, at least at first. But with a well supported alternative that I want to
use, I'd have an easier time to say "fuck it" and close the browser window.

Right now I'm trying to go for the next best thing: Different accounts per
service (vs braindead "Log in with Silicon Valley Corp").

Alas .. Persona would simplify my password store a LOT. I'd back a campaign.
Not sure if I could offer hundreds of dollars, but let me state here that I'd
find a way to add 50-80 right away/as an incentive to adopt the project again
and I definitely would be able to contribute a recurring amount (a la Patreon
etc) for the ongoing development.

------
saurik
For more (and better) counter arguments, start with this thread (which was
about one particular comparison with Facebook Connect: possibly click to see
the parent for context) and then follow my chain of earlier comments I link at
the bottom of that one (which were more general, going into the flawed
assumptions in Persona about email).

[https://news.ycombinator.com/item?id=7243172](https://news.ycombinator.com/item?id=7243172)

(By the way, I am going to try to avoid wasting even more of my life arguing
on Hacker News about the benefits or lack thereof of Persona, so I am dropping
these links here to maybe seed discussion among others, but I am going to
attempt to avoid ruining my Christmas Eve by forcing myself to never look back
at this particular thread again ;P.)

Also, for anyone wondering if I have anything credible to say on this subject
before bothering to read any of this--and maybe to the one person who
downvoted me from 3 points to 2 points, which I noticed as I fleshed out the
"I will hopefully leave" message ;P--I have run a service with tens of
millions of users that _only_ uses federated login (though accounts are
optional, so I "only" have just over ten million accounts on file), and have
been staring at this space since 2001, when Microsoft announced Passport (at
the time, I even was thinking of starting my own single-sign-on service, but
was a naive college student ;P).

(later edit: I found another old thread on this subject that I am going to add
here as an edit, mostly because any other way of adding it might cause me to
see if there are any responses to this comment ;P. At the time, to this new
link, there were two responses I hadn't bothered seeing and responding to: one
from someone who insisted upon comparing the fundamental bug in Persona with
an existing "worst practice" (as opposed to any of the better alternative
options), and one who seems to be in left field assuming the value of a
Facebook account is based on whether the user updated their email address: the
point I was making is that Facebook isn't actually tied to email addresses, as
they "understand" the problem inherent in relying on them for anything, and so
users do not run into any of the issues that Persona not only doesn't solve
but actually makes worse. Regardless, yeah: even without reading any comments
from today I am already spending way too much time at this ;P.)

[https://news.ycombinator.com/item?id=8250301](https://news.ycombinator.com/item?id=8250301)

~~~
mgreg
While I agree that dealing with lost/defunct email addresses and thus accounts
can be a challenge there may be other solutions to these (e.g. SMS
confirmation, backup pass phrases). In any case it seems we're letting the
perfect be the enemy of good with this line of argument. Persona provides
significant privacy and perhaps security to alternatives.

~~~
cvalentin
The problem at that point becomes you start to implement a service, rather
than a protocol. I'm not sure there is necessarily a solution for identity
with the way email is currently implemented.

------
dorfsmay
I created this Persona Advocacy mailing list 11 months ago, but didn't get any
traction:

persona.advocacy@librelist.com

[http://librelist.com/browser//persona.advocacy/2015/1/24/the...](http://librelist.com/browser//persona.advocacy/2015/1/24/the-
mozilla-persona-advocacy-mailing-list/)

You can subscribe by sending an email to (first message is ditched):

    
    
        persona.advocacy@librelist.com

------
stickfigure
I was an early adopter of Persona (my site is billed as example in the docs)
and was similarly disappointed when Mozilla gave up on it.

In retrospect, I think that Mozilla made a mistake by centralizing the
fallback identity provider. The fallback provider was just a temporary edifice
to bootstrap the protocols; it didn't have to be run by Mozilla. Every website
could have run a small stack which remained fully self-branded and would only
verify email addresses for its own purposes.

I understand why Mozilla took the route they did - centralizing the fallback
provider eased the RP implementation, made it possible to rapidly rev the
protocols, and in theory made it more convenient for users since one Persona
password would work across multiple sites. In practice, however, users were
confused about the extra branding and the vague sense of logging into Persona
so you can log into a site. More critically, it made the whole project depend
on the whims of Mozilla - it's not just software we depend on, but
_infrastructure_ , and without Mozilla's support the infrastructure will
eventually die.

If Persona is revived, I hope it becomes a complete software stack that every
RP can run independently. The fallback IdP should be 100% branded by the RP so
users are never confused about what site they are logging into. And as non-
hosted software, it should be able to live and evolve as open source software
without fear that some tepidly supported server will go down (or simply fail
to evolve). IMHO, this is the only way that Persona (or at least the auth
standard, which is what we care about) can survive long-term as a community
project.

------
soapdog
The main problem with Persona was not the tech, Persona is great and works
well. The problem is that building federated identity services is hard.
Persona is not a centralized login system such as "login with Facebook". With
Persona, once you decide to login with your email account, first Persona looks
for an IdP with your domain/provider, the if not found it goes back to the
persona catchall service. For a while gmail.com had support for Persona as
well and it worked transparently. I don't know if that is still the case.

What killed Persona was not tech but the lack of traction. Developers loved it
but failed to use it. By providing options such as FB, Google, Twitter and
other logins, the user choose the familiar service and never tried Persona. In
the end, the lack of traction together with the overall difficulty of building
federated identity services killed it.

But what is dead cannot die! Persona still works, I still use it every day in
lots of Mozilla properties and if I had to build some service that required
logins, I would use it even today. It is in the hand of the community but with
some care and more traction this can become cool again.

I will look into the source code and see if I can help somewhere.

~~~
deno
> What killed Persona was not tech but the lack of traction. Developers loved
> it but failed to use it.

The idea was always that Mozilla would ship native integration in Firefox.
There were very very pretty mockups going around and everyone was holding
their breath for that to happen.[1] Even announcing they would ship it in the
next version would mean 1) it’s stable now and 2) Mozilla is behind it.

My guess is Google (their sponsor at that time) made them drop it because they
were preparing to launch G+.

I know it’s a conspiracy theory, but it frankly makes more sense than all
those other non-reasons I keep hearing about in this thread.

[1] [http://www.extremetech.com/wp-
content/uploads/2011/07/firefo...](http://www.extremetech.com/wp-
content/uploads/2011/07/firefox-account-manager.jpg)

~~~
Flimm
I agree. Some people in this thread are saying Persona is not dead because
it's still up... but without the browser integration (which never was
arrived), it's not even half as good as what it could be, and without Mozilla
endorsement, it's not going to get serious adoption.

------
patrickaljord
I don't really see the point in this and this is why: let's say Persona won
and all the big ones switched to it (Facebook, Google, Twitter etc.) by
becoming providers. Most people would still be using their Facebook, Google or
Twitter persona anyway (except for a few privacy sensitive users who don't
like SaaS anyway because it's bad for privacy according to them). So we would
have a situation that would be de facto very similar to what we have now (3
sigin buttons for facebook, google and twitter) and then an extra one for
people using their own hosted provider. This is what happened with OpenID,
problem was that supporting people using their own providers became a
nightmare as these providers went down or had some incompatibilities. People
were just angry they couldn't sign in with their old providers, many of theme
may have not even known they were using custom providers or what providers are
and the other half would be privacy nerds who enjoy complaining every time
their custom provider stops being fully compatible. For app owners, it would
just be a big waste of time and resources supporting these users.

~~~
StavrosK
You misunderstand how Persona works. You can't log in with Facebook or
Twitter, because they don't provide your email address. You can log in with an
email address, and the email provider doesn't know what sites you're logging
in to.

Try [https://pastery.net](https://pastery.net), log in there. If you have a
Gmail account, you'll just click "accept" and you're in.

~~~
patrickaljord
I just tried it and it redirected me to google oauth2 dialog. Same thing. If
anything, it's one step more than using google's oauth2 directly.

------
cmurf
Even though I didn't use Persona, having read this, I think this is a big WTF
moment for all of us, not just Mozilla. Now I want this thing I didn't know
existed because I have, and have had, a need for exactly this. I use a
password manager, but I don't really want to use one. I certainly don't like
my parents using them, because in fact I have to use them for them because the
UI/UX varies so much among web sites. There is no standard UI for changing
passwords or doing account resets. All of that shit could go away with this.
Fuck. We need to go retrieve that ship!

------
prodmerc
I find Keepass and/or Lastpass are better solutions - you can have different
logins for different sites, generate truly strong random passwords and login
with two clicks in any modern browser.

I don't want Google (or God forbid, Facebook) knowing what sites I login to
and part of my credentials, and I don't want websites to know my email
address.

I know you say they don't have this information, but it's not hard to get
access to it if they feel they want to. Google Web History already creeps me
out :-)

I also feel more secure with different passwords (and even emails) on
different sites.

~~~
r3bl
> Google Web History already creeps me out :-)

You know that you can turn off most of their tracking by doing a privacy
checkup? I can't guarantee that they don't know a lot about me and that
they're still not tracking me, but I can guarantee you that my Google history
is completely blank.

~~~
deno
Do you actually believe this accomplishes anything… This data is still in
their server logs[1] (and streamed directly to NSA).

USE TOR BROWSER FOR BROWSING. DON’T STAY LOGGED INTO GOOGLE. Anything less is
just a waste of time.

And seriously, Tor in 2015 is fast enough for 1080p h.264, there’s really no
excuse.

[1] [https://nakedsecurity.sophos.com/2011/10/20/law-student-
trig...](https://nakedsecurity.sophos.com/2011/10/20/law-student-
triggers-22-legal-complaints-and-likely-audit-of-facebook/)

------
charlieok
As I understand it, the main point of Persona was improving the situation
around authentication and passwords.

Now, I'm seeing indications that Mozilla is working on implementing FIDO U2F
support (“Mozilla’s commitment to add FIDO U2F support to the Firefox
browser”).

[https://www.yubico.com/2015/12/2015-was-a-yubico-rocket-
ride...](https://www.yubico.com/2015/12/2015-was-a-yubico-rocket-ride/)

That seems like a much better approach to improving the situation around
authentication and passwords than Persona was.

------
wildlogic
This might be a silly question, but why do we need Mozilla to build this
system? Is it a matter of trust in Mozilla and a greater likelihood of
adoption if Mozilla is the organization providing this service?

~~~
espadrine
> _Is it a matter of trust in Mozilla_

Yes. Mozilla has helped bring a large number of Web-related standards while
maintaining consistently high privacy and security requirements.

Note that Persona isn't a one-central-service system, though. You can have a
ton of identity providers, assuming they all follow the same standard. You do
need one service to get started, however.

------
drdaeman
Please, don't.

Persona is an inherently bad protocol that continues the unnerving trend to
shift the concept of _identities_ from something that's owned to something
that's merely leased and temporarily granted.

It's better than "Login with $Provider" in a sense that $Provider doesn't get
the data, but it's equally worse in a sense that $Provider still owns your
identity.

I wrote about it here:
[https://news.ycombinator.com/item?id=10595347](https://news.ycombinator.com/item?id=10595347)

~~~
sundarurfriend
Could you suggest a usable, practical alternative then?

It seems from the other thread that you believe WebID to be a better
alternative to Persona/BrowserID. How practical and usable is it right now,
and what key advantages does it offer in your opinion?

~~~
drdaeman
Sadly, no alternative currently exists. Well, none I know of.

There were some attempts like WebID and gpgAuth, but none is usable at the
moment. They have to be dug out of dirt of oblivion, carefully analyzed and
improved with important features they're missing to be usable for ordinary
people (at least key escrow and sync - both completely optional, of course).

What I want from authentication system, is complete independence and full and
ultimate control and ownership of my own identity. I don't want to trust,
depend or even need any third party just to have account with someone. Not
even if this third party is a domain name registrar, not even if I have a
legal agreement with them.

When we had just usernames and passwords - it was exactly like that, except
for mandatory emails thingy (but that's another story). I met someone, we
introduce yourselves, negotiate a shared secret - and we're now acquaintances.
With OpenID/OAuth/SAML/JWT/Persona this is no more the case - we have to call
a notary and the notary will tell us who I am. And I really don't like this
and want to see this fixed.

I want to revoke any possibility of any third party to revoke or otherwise
deny my identity. They may assert my identity (say they know me and I'm a good
lad) and revoke their assertion about my identity (i.e. say they don't trust
me anymore), but not the fact who I am.

------
fermigier
I've used Persona on one project (see:
[https://github.com/OWF/owf2014/blob/master/website/auth/pers...](https://github.com/OWF/owf2014/blob/master/website/auth/persona.py)).
I was awesome (much much easier than the OAuth dance with the various
providers we wanted to support). I wholeheartedly agree w/ Stavros.

------
jaybosamiya
> As security people like to say, “put all your eggs in one basket and stick
> the basket in Fort Knox”

I'm not so sure I want to do that. The point is, even that single Fort Knox
can be breached at some point, and if it is, then everything is lost.

I agree that nowadays, email is almost unanimously the way to verify a
password reset, and hence all your eggs are already in one basket, but
shouldn't there be further protections?

~~~
ZenoArrow
> "I agree that nowadays, email is almost unanimously the way to verify a
> password reset, and hence all your eggs are already in one basket, but
> shouldn't there be further protections?"

A few of the major webmail providers offer two-factor authentication, so
that's one option to enhance protection. Here's some information about how to
enable it for Gmail, Hotmail and Yahoo Mail:

[https://www.google.com/landing/2step/](https://www.google.com/landing/2step/)

[http://windows.microsoft.com/en-gb/windows/two-step-
verifica...](http://windows.microsoft.com/en-gb/windows/two-step-verification-
faq)

[https://help.yahoo.com/kb/SLN5013.html](https://help.yahoo.com/kb/SLN5013.html)

------
odbol
Persona is a neat idea, but there's a better one: get rid of password logins
altogether. I should just be able to enter my email on ANY site, and they'll
send me an email with a login button. I click the login button in the email,
and am automatically logged into the site for as long as necessary.

It's exactly as secure as the "Forgot my password" reset nonsense, but
streamlined to be way easier on the user. Then you only need one password: the
one to your email. This removes the need for Persona to "add support" for
different email providers. Your provider doesn't matter, just the fact that
you can receive emails!

I'd really wish more sites would just do this anyway. For instance, every time
I get an analytics daily report from Fabric.io, I click the link in the email,
and it asks me to login. WHY ARE YOU ASKING ME TO LOGIN, WHEN I JUST CLICKED
AN EMAIL YOU SENT ME? It's obviously me!

~~~
Flimm
If you have an identity server, a website and a browser that all support
Persona, (and you've already been through the process once), Persona would
work much better than that. You don't have to memorise a new password and you
don't have to click on a verification email. You just land on a new site,
click log in with Persona, choose your email address, and TADA! you're in. And
the beauty of it is that your email provider doesn't even know which sites
you're logging in to.

------
IgorPartola
While I think Persona is way better than password-based auth, I can't help but
feel that it's also a sideways step. No, authentication should be provided by
the user-agent, not by some third party identity provider (even if you control
it by running your own). We have this for ssh: you have your private ssh key
and it's up to you to manage having it in the right places (work desktop,
laptop, phone, etc.) It's clunky, but that's OK: it's aimed at tech people.

Browsers should do something similar: provide a storage for private and public
keys as proof of identity. But they should additionally provide a way to sync
those identities across multiple browsers and machines. This latter concept
will be familiar to anyone who has used LastPass. The former, well it should
basically be a dropdown with your identities, and you choose one before
clicking the "Login" button.

~~~
mgbmtl
To some extent, this is similar to SSL/TLS certificates that can be used to
authenticate the user (not just the server). If I recall correctly,
[http://startssl.com/](http://startssl.com/) does that.

It's not a very intuitive mode of authentication, but if the UI was improved,
and combined with a sync service (& encrypted with a passphrase), I guess it
could be usable? (also, presumably it requires the site to use https, but
that's also much more expected today than it was 10 years ago)

~~~
IgorPartola
Yeah, basically this. I have used it before and client side TLS certs are
anything but intuitive. They are also not widely supported.

------
romaniv
_> Anyone with access to your email account can simply reset any password on
any site. The right solution is to make your email account very, very secure._

No, the right solution is to stop using email as sole identification for
password resets. Yes, there are other solutions you can implement right now
without waiting for some big company to save you.

The most obvious one it to create a second factor of authentication _just for
account resets_. It could be via an SMS _OR_ simply by asking user to print
out/write down a special randomly generated "reset" number.

"But SMS costs money!" No, for most providers you can send an email to a
special address reserved for the phone number. It will get translated to SMS
automatically.

"But users will forget/loose their reset number!" Maybe, maybe not. It's a
cultural thing. You don't expect them to loose access to their email, but that
happens all the time.

~~~
ygjb
SMS is an awful point of failure to inject into a protocol. It is plain-text,
monitored in many countries, and can be unreliable and expensive in emerging
markets, and just no.

"But users will forget/loose their reset number!" Maybe, maybe not. It's a
cultural thing. Really? Can you cite anything here that indicates this is the
case?

Users treat email access differently, seeing as how it's bound to user
identity, usually across dozens, if not hundreds of services.

~~~
tim333
SMS though provides a higher level of security. Some hacker anywhere on the
planet could have accessed my email and passwords but they can't get a code
sent to my phone unless they are nearby and have got hold of the phone. I'm
not sure it being plain text and monitored matters much as all that's bring
sent is a random number usually. I'll admit it could cost more and so may not
be the thing for sites with lots of free users. If you can't get sms some
sites will phone you with a recorded message.

------
tajen
\- Can Mozilla set up a kickstarter for this project?

\- Is it technically possible to create a Bash/SSH integration? The Linux
world pretty much has SSO now, it would be an awesome argument to have this
and Persona extend each other.

~~~
slasaus
The client that wants to login always needs to execute a browser (or at least
a render and JavaScript engine). See this (stalled) proposal to make it more
compatible with non-browser/simpler agents:
[https://groups.google.com/d/msg/mozilla.dev.identity/L2ETKkd...](https://groups.google.com/d/msg/mozilla.dev.identity/L2ETKkdMv8g/q3ffwFaJgl0J)

~~~
lukeh
Well, we had Persona working as both as GSS-API mechanism on Unix and a SSP on
Windows. You could use it to sign-in to Exchange with Outlook - that was
pretty cool. Links here:

* [https://hacks.mozilla.org/2013/04/mozilla-persona-for-the-no...](https://hacks.mozilla.org/2013/04/mozilla-persona-for-the-non-web/)

* [https://github.com/PADL/libbrowserid](https://github.com/PADL/libbrowserid)

* [https://tools.ietf.org/html/draft-howard-gss-browserid-07](https://tools.ietf.org/html/draft-howard-gss-browserid-07)

------
programminggeek
Not sure if anyone realizes this, but Mozilla is not really an open source
thing. It's a company that happens to be a nonprofit. It deploys resources and
runs itself like a Silicon Valley company.

It's not just a bunch of dudes in their basements writing code. They have like
$330 million in annual revenue. They are sitting on like $90 million in cash.

Mozilla isn't about software for its own sake or just for the sake of the web.
They are about self preservation and Persona wasn't going to keep them alive,
so they killed it.

Mozilla is a company. That is what companies do.

~~~
mlinksva
I've got plenty of quibbles with Mozilla (including their handling of Persona)
but "open source thing" and "company" are not mutually exclusive. We need more
entities with lots of resources doing almost exclusively open source.

------
NelsonMinar
We've had 10+ years now of failures to build a proper federated authentication
system (RIP OpenID). The problem isn't technical, and it's only a little bit
product design. The problem is political. The big companies with the influence
to support a system like Persona don't want it. Facebook, Google, etc believe
they can own identity on the Internet themselves, so they won't support a
neutral identity provider. Which is a terrible situation for users.

Mozilla absolutely is the right kind of organization to try to attack this
Gordian knot.

~~~
wpietri
I totally agree with the first paragraph, but I'm not convinced on the second.

Mozilla is right in the sense that they're independent and a not-for-profit.
But they're also small relative to the other players, with more limited
resources. They also just don't seem to be very good at politics and/or
building business partnerships.

In particular here they seemed to solve it as mainly a technical problem. They
apparently launched it with the assumption that its existence alone was
sufficient to generate uptake, which even at the time seemed naive to me. And
then after a while they shrugged, said, "looks like it doesn't work" and
closed it down. That doesn't seem like the right organization to me.

~~~
NelsonMinar
I agree the Mozilla organization has failed here. I guess I don't know any
other neutral organization that could do this. We have precious few user-
advocacy organizations out there. It's outside EFF's bailiwick. I don't think
Apache is any better at politics than Mozilla.

------
_pmf_
Is there a short introduction as to how Persona deviates from the original
decentralized OAuth approach? I'm a bit unclear why what didn't work for
decentralized OAuth should work for Persona.

~~~
icebraining
What was the decentralized OAuth approach? Are you referring to OpenID?

If so, the difference is that Persona works with whatever email
address/account the user already owns, just like plain email/password
authentication; they don't have to figure out that they need to create an
account in some "identity provider", which then gives them an URL to copy-
paste into the site.

------
sgarrity
The best way to get Persona adopted would be to have someone significant
_other_ than Mozilla to adopt it. If IE, Safari, or Chrome had adopted, it
would have had a great chance at success.

~~~
soapdog
Just to be clear, Persona works on IE, Safari and Chrome as well. It is not
tied to Firefox. You can login to MDN for example using Persona on Chrome if
you'd like to.

------
TazeTSchnitzel
It's alarming that after 2 years they killed it off for lack of traction, and
not only that, decided they had failed.

How could they have possibly succeeded in that timescale? They seem to think
there were flaws with Persona, and that's true, but those flaws could be
fixed. Making a few mistakes on an attempt doesn't mean you should kill it off
if the basic product works well. It means you fix them. Starting a new Persona
is silly, Persona itself works.

------
slacka
It's nearly 2016 and Firefox can still only using 1 of my 8 CPU cores, and I
can still bog down the UI with heavy web apps. My favorite email client is no
longer supported, and now a potentially great privacy tool is being dropped.
Meanwhile, after wasting countless man hours on a Mobile OS, they're now
"pivoting" to IoT.

Why can't they just focus on what people value them for, web browsers and
privacy?

------
JoachimSchipper
> Even if your email provider does end up getting breached, you only need to
> change one password to be perfectly secure everywhere again.

I liked the article, but this is not true - if a service gives out password
reset tokens or log-in-via-emailed-link tokens, a breach of your e-mail will
still require a reset on that service. Even in a fully Persona'ified world,
such tokens are likely to exist for at least some services.

------
natrius
Persona seemed like the right identity product for its time, but technology
has moved on in the years since. We now have blockchains: shared, publicly-
writable databases that are perfect for hosting identities that users fully
control. Figuring out decentralized identity is part of my day job, and if
it's something you're interested in building or talking about, email me:
niran@niran.org.

------
JohnDeHope
You're right. I sent Mozilla $5 this year just for doing what they already do.
Kickstart this and they'd get millions, I'd guess.

------
Perixoog
>Tell the email provider you want to give a site permission to know your email
address, without telling the provider which site it is.

Then the site emails you anyway. (If you didn't want them to, you shouldn't
have given them your email address).

~~~
sp332
The email could be used for authentication purposes and not for actual email.

------
Twisell
If someone at Apple is reading this... please fork it (or built up from
scratch) a solid open source SSO system and become an official (but optional)
identity provider for your millions customers.

This would be a win-win as this could help AppleID and TouchID becoming even
more central for your users while demonstrating at the same time that you care
about privacy and are willing to develop an open standard to support strong
and distributed identity management system as an alternative to Google and
Facebook centralized and privacy unfriendly solution.

------
floatboth
[https://indieauth.com](https://indieauth.com)

Of course domains aren't as popular as email addresses, but OpenID used
domains… This is like OpenID done right.

------
sergiotapia
I backed persona with a well written example back when it first 'came out'
into the mainstream: [https://github.com/sergiotapia/ASP.Net-MVC3-Persona-
Demo](https://github.com/sergiotapia/ASP.Net-MVC3-Persona-Demo)

It was super easy to integrate, better UX in my eyes, but Mozilla just shut it
down for some reason. It died down.

I hope they assign more resources to it. I hate having Facebook sign ins on my
website.

------
foxbarrington
As a dev, it was really nice to use Persona and not have to build an
authentication system for each project.

Now we use Authentic
([https://github.com/davidguttman/authentic](https://github.com/davidguttman/authentic)).
In some ways it's better (e.g. get to control your own UI/UX flows), but it
would have been nice to just have Mozilla run/host everything.

------
sova
Persona is a most promising idea because it will eventually lead to secure
passwordless login everywhere. Keep the pedal to the metal guys!

~~~
SimeVidas
But Persona _isn’t_ passwordless, or?

~~~
quadrangle
Persona is passwordless. The idea is that you verify with your email provider
who supports it. Your email provider may have a password, but there's no
Persona-related password (unless you use Mozilla's Persona.org service because
your email provider doesn't support Persona directly).

------
um_ya
Don't know why persona never caught on, it was probably the best
developer/user logon experience I've ever used. When I created my last site, I
was very excited about persona, until I realized nobody was developing it
anymore, which made me decide against using it. I wish Mozilla would have
completed persona before abandoning it.

------
Lethalman
Sorry, where is it said they will stop development of Persona? The homepage
and the service seem to be in full health, there's no warning anywhere for
users of Persona.

Is there any official statement that Persona will shut down?

~~~
maxerickson
[http://identity.mozilla.com/](http://identity.mozilla.com/)

------
goatic
Persona sounds like what I've always dreamed of for authentication. Why is
this not happening anywhere yet?

------
grayrest
The message I got from Persona was "hey we're developing this thing, it'll be
part of Firefox." Sounded like a pretty good idea to me and the signal for it
being ready so I could reasonably push for adoption. Then it got shut down for
no apparent reason.

------
stevetjoa
My first experience with Persona was through my mobile phone provider, Ting.
They still use Persona:
[https://ting.com/account/login](https://ting.com/account/login). I loved it
then, and I love it now.

------
hexis
I haven't looked into Persona since they shut it down, but is it a protocol or
a service? If it was actively developed again, would one be able to use
Persona without integrating with any Mozilla service at all or would there
always be a Mozilla layer involved?

~~~
quadrangle
The backend was called BrowserID, and it was supposed to integrate with your
browser and be supported by email providers _not_ be some Mozilla service.
It's only a service because they didn't get around to implementing the actual
BrowserID design, so they run a service for now, and then they halted
development before they even _tried_ to build the actual design!

------
lukeh
I really liked Persona and put a bunch of work into extending it (adding
support for things like selective attribute disclosure). One real design
limitation was that it didn't support delegation (the original use case for
OAuth).

------
greggman
Just an idea but could they work with the wordpress guys to make it the
default system for wordpress? They're both open source companies and
apparently wordpress runs a large percentage of the web.

------
shmerl
I didn't even realize Persona was shut down. It was a good idea.

------
akerro
AND TAKE POCKET AWAY!

------
ivanb
My only gripe with Persona is that it is not easy to use in mobile apps, if at
all possible.

------
anonbanker
Mitch Baker should be commended on her hard work turning Mozilla back into
Netscape.

------
transfire
You know what poverty is? Always starting over. Mozilla is getting good at
that.

~~~
isolate
Firefox is ancient.

------
muppetman
People who write open letters need to fall in a hole. They're so lame.

