
Ask HN: Mozilla Persona Post-Mortem - pc2g4d
As far as I can tell, the demise of Mozilla Persona has left a vacuum in terms of user-controlled identity solutions.  Why did Persona fail? What else is happening in this area? What&#x27;s coming up on the horizon?
======
TazeTSchnitzel
Portier (formerly Let's Auth) was set up by a bunch of people interested in
decentralised identity solutions after Persona was killed, as a sort of
spiritual successor: [https://portier.github.io/](https://portier.github.io/)

~~~
Rotareti
I recently implemented Portier in a porject. I haven't come across a nicer
login system. It's dead simple and a joy to use. I hope it'll become more
popular!

------
mnoorenberghe
The after action report (AAR) can be found at
[https://wiki.mozilla.org/Identity/Persona_AAR](https://wiki.mozilla.org/Identity/Persona_AAR)

------
oxguy3
The main purpose of Persona was cross-site login, and it seems like there's a
million options for that: Google, Facebook, Twitter, Reddit, Steam, etc etc
etc. Broadly speaking, you can support a lot of these platforms all at once
with OpenID (don't know too much about OpenID though; not sure how prevalent
support is).

I think Persona failed because it simply wasn't the easiest option for the
end-user. When given the choice to create an account on Persona, or sign in
with the social media account they already have, most people will follow the
principle of least effort and use their existing social account.

~~~
JoshTriplett
The original Persona proposal had the concept of browser-based identity. Your
browser would provide secure authentication, and then Firefox Sync would let
you bring the authentication credentials with you to other systems. You'd just
click "sign in" on a site (or in the browser UI) and your browser would sign
you in, with no other interaction required.

However, outside of a prototype addon, that approach never materialized. And
without that, Persona didn't have a compelling use case except for people who
didn't want to trust signing in via Facebook or Google or Twitter.

We're finally starting to see standards proposals that address this, and allow
signing in via cryptographic authentication built into your browser. I hope to
see those make OAuth obsolete for any use case _other_ than API access to an
account (e.g. "allow this site to integrate with Github").

~~~
lifeisstillgood
> We're finally starting to see standards proposals that address this, and
> allow signing in via cryptographic

could you point us at these - would've very interested as thelack of PKI in
the world does bother me

~~~
JoshTriplett
[https://www.w3.org/TR/webauthn/](https://www.w3.org/TR/webauthn/)

Disclaimer: I have _not_ reviewed this spec in detail yet, and my confidence
in the W3C is _not_ high.

~~~
cpeterso
Firefox 60 will ship the WebAuthn API. Here's a Mozilla blog post with
examples of how to use WebAuthn and FIDO U2F devices:

[https://hacks.mozilla.org/2018/01/using-hardware-token-
based...](https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-
with-the-webauthn-api/)

~~~
JoshTriplett
Will it work with a key stored in the "software security device", rather than
a hardware token?

For that matter, the description shown on that page suggests that it supports
using the key on the hardware token as the _only_ authentication factor. That
seems dangerous. Unlike a key stored on an encrypted disk, a U2F key typically
works for anyone who steals it. Firefox needs to use that key _together_ with
another key stored in the browser, or otherwise ensure that someone who steals
the U2F key does not gain access to every account secured with WebAuthn.

~~~
cpeterso
Yes, I think Firefox will support U2F "soft tokens". Code for a
U2FSoftTokenManager was added in Firefox bug 1323339.

[https://bugzilla.mozilla.org/show_bug.cgi?id=1323339](https://bugzilla.mozilla.org/show_bug.cgi?id=1323339)

------
masukomi
There was a post here by the head of the team about 4 years ago going over his
thoughts on the matter
[https://news.ycombinator.com/item?id=7364465](https://news.ycombinator.com/item?id=7364465)

and as someone else mentioned the After Action Report summarized the bullet
points well:
[https://wiki.mozilla.org/Identity/Persona_AAR](https://wiki.mozilla.org/Identity/Persona_AAR)

