

Is Persona the Authentication System That We’ve All Been Waiting For? (2012) - ianlevesque
https://xato.net/passwords/mozillas-persona-authentication/

======
wvh
I like Persona and – about a year ago – was thinking of using the service in a
medium sized project I'm managing. I did some experiments and it (technically)
worked fine for our purposes, and educating users on its use didn't seem too
hard either. In the end though, I decided to roll our own (simple)
authentication system because of a lack of hard guarantees that Persona (the
service) would still exist a few years down the line.

I don't like to depend on external factors for long term projects that go into
maintenance mode and this is very much a problem with 3rd party
authentication.

We could of course try to install the Persona server ourselves, but that
seemed like a bit too much effort considering the size of the project.

In short, Persona good, uncertainty around it bad. I guess it suffers from a
chicken-and-egg (or critical mass) problem.

------
hmans
Persona solved a real problem in a straight-forward manner, which, in today's
web, is a surefire way to fail. People often complain about things (Facebook
being a walled garden, Twitter mucking up third party clients, authentication
being broken etc.), but then end up giving in to convenience.

~~~
urptght
It's easy to casually dismiss Persona's lack of adoption but there is real
problems with it. For example it is not easy for hosting providers to deploy
(custom domains, domain:443 may not be controlled by the provider, SSL certs,
etc).

~~~
callahad
I'd love to take another run at Persona in a few years once DNSSEC gets sorted
out. As the world exists today, requiring a specific response to GET /.well-
known/browserid over TLS on the apex seemed like the most reasonable option.

~~~
urptght
ACME and LetsEncrypt should allow for easy to deploy and free (or cheap)
certificates this year. With that and the use of SRV records to find the HTTPS
endpoint, it could well be made simpler to deploy Persona this year.

(For those unfamiliar with SRV records, they're found at
_service._proto.domain and contain a target name and port at which a service
for domain can be found. ie: _persona-https._tcp.user.example could list
provider.example:8443, and provider.example:8443 would be expected to be able
to produce a certificate for user.example.)

