

Persona - Mozilla's decentralized and secure authentication system - 00joe
https://developer.mozilla.org/en-US/docs/Persona

======
natch
Authentication mechanisms and they way they are implemented can have bleedover
into the ability of a user to maintain control of their anonymity and privacy.

Has there been any writeup that explains the potential impact of Persona on
privacy? Not just the impact when used as intended, but also any unintended
effects?

~~~
callahad
I'm not aware of any standalone articles, but something of that nature would
be really fantastic. Such an article would probably be best if written by
someone outside of the Persona team.

~~~
ygjb
Just a further comment, anyone interested in writing such an analysis or
document should contact us with any questions!

------
y0ghur7_xxx
Previous discussion: <http://news.ycombinator.com/item?id=4580986>

------
jpxxx
I can't come up with any reason why this isn't going to be massive. The
password problem is the single most frustrating and alienating issue I can
think of for normal users.

~~~
gambler
Two big issues so far: it still uses email for password resets (without
alternatives that I know of) and it doesn't work without JavaScript. I hope
both of them get addressed.

~~~
fmarier
The fallback identity provider (at login.persona.org) does use email for
password resets, but other identity providers will likely use other
mechanisms.

~~~
gambler
I hope so, but why not do the right thing in the default identity provider?

Lately, there have been _tons_ of high-profile hacks that boiled down to
taking control of victim's email and resetting passwords to other accounts.
What's seems to be the best response possible from web developers? Is it:

a) Demand that all your users use Gmail with enabled two-factor
authentication, then smugly blame them for all security issues if they don't.

b) Stop using emails for password resets, since you don't really know how
trustworthy your users' email providers are.

~~~
Flimm
One of the ways crackers gain access to a user's email is by guessing their
password, a simple task when a huge number of users use the same password
everywhere. With Persona, only your email provider (and the persona.org
fallback) have your password (two passwords in the case of the fallback),
hashed or not.

If you're already a password ninja and use a different and unpredictable
password on every different site without forgetting them, Persona isn't an
improvement in security. If you don't, as most users don't, Persona makes
authentication more secure and more user-friendly at the same time.

With Persona, your weakest point would still be your email provider, which is
why it would still be wise to recommend two-factor authentication for your
email.

If you're already a password ninja and use a different and unpredictable
password on every different site without forgetting them, AND you have enabled
two-factor authentication with your email provider, Persona IS an improvement
in security. This is because, with Persona, having two-factor authentication
for your email would automatically mean two-factor authentication for all your
websites as well.

~~~
Tantrick
I use Two-Factor Authentication across a lot of my accounts. I feel a lot more
secure when I can telesign into my account. If you have that option available
to you use it, it is worth the time and effort to have the confidence that
your account won't get hacked and your personal information isn't up for
grabs. If you opt into 2FA, you will have to "Confirm your phone". You would
receive a text message with a specific code to be entered into the system. If
you don't want to do this every single time, you can designate your
smartphone, PC, or tablet as a trusted device and they will allow you to
telesign in without the text code. Should an attempt to login from an
unrecognized device happen, it would not be allowed.

------
Nux
How would I log in from a friend's computer with Persona? How about from an
Internet cafe; how safe would it be? Persona looks like something that lock's
you into a certain device or at least makes it harder to log in on device's
that are not your own.

I'd rather they made OpenID less scarry (to average Joe) instead.

~~~
Sami_Lehtinen
You really shouldn't login from any non-secure terminal. I have catched even
pros doing that mistake with production systems. It's major fail!

~~~
Nux
Major fail or not a good part of the world does not own their own computer.

------
eslaught
Are there any good descriptions for how Persona works? I can find plenty of
developer documentation on this site, but I can't seem to find a good, concise
description of what parties are involved and what the protocol is, etc.

(Maybe I'm not looking deep enough? Anyway, thanks in advance.)

~~~
fmarier
This talk gets into how the protocol works without getting too much into the
crypto: <https://www.youtube.com/watch?v=iZBTc7iEkQY>

~~~
gambler
I just watched the video. So, apparently, the long-term goal is to have email
providers to support this and sign user certificates. I'm still not clear on
what information a certificate would contain.

More importantly, I really dislike the answer to second question from the
audience. Even when the system is fully supported without fallbacks, hacking
person's email account will grant the attacker ability to log into all
websites as the victim?

I already am quite concerned with how much control over everyone's identities
services like Gmail have. If I understand it correctly, Persona will give them
more direct control over user's identities. It's only decentralized in a sense
that different email providers will be able to implement it separately, and
verify identities of _their_ users.

I hope I'm missing something from the big picture here.

~~~
Flimm
> If I understand it correctly, Persona will give [identity services like
> Gmail] more direct control over user's identities.

No, Gmail already has that control. Almost every website out there allows you
to reset your password by sending you an email. If you control the user's
email, you can change their passwords. Persona changes nothing in this regard.

~~~
gambler
1\. Right now, Gmail has only as much control over accounts as individual
website developers give it. It's up to us to implement alternative password
reset system and make them the default. Any website can (and in my opinion
should) switch to something else at any time, because, firstly, password reset
system is decoupled from core authentication mechanism and, secondly, it is
under web developer's control. Mass adoption of Persona will change this
problem from locally solvable to unsolvable. If this becomes _the_
authentication standard (which seems to be the project's goal), you will _have
to_ trust user's email provider.

2\. Right now, Gmail can reset your password, but it cannot silently authorize
someone else to use your account without you knowing. It seems (and correct me
if I'm wrong here), that with Persona such scenarios will become possible.

~~~
Flimm
1\. You're comparing Persona to an imaginary world where most websites don't
rely on email providers to prove authentication. I'm comparing Persona with
the actual situation where people use the same password everywhere. Persona
isn't perfect, but it is much better than what the vast majority of websites
use, and it allows even better methods to be implemented where needed.
Furthermore, Persona is more usable, and therefore more attractive and more
likely to be deployed widely.

2\. Yes, it can. It can delete password reset notifications. If the
notification contained the password in plain text, then there would be no easy
way to find out whether Gmail logged in to your account on X. If the
notification contained a password reset link, there is a possibility that the
user would subsequently discover that their password was no longer accepted on
X. But given that most users use the same password everywhere, Gmail already
has a huge potential for evil, as it could just use the passwords it has
already collected. Users that worry about Gmail can use an alternative email
provider or their own, after all, email and Persona are both decentralised.
Website developers that worry about Gmail can use other authentication methods
on top of Persona, such as in-house two-factor authentication.

tldr; if Gmail is evil, both Persona and current systems can't stop it. If
that worries you, use your own email server, and use other authentication
methods on top of Persona on your websites.

~~~
gambler
_You're comparing Persona to an imaginary world where most websites don't rely
on email providers to prove authentication._

I'm comparing hypothetical mass-adoption of Persona with hypothetical mass-
adoption of alternative password reset policy. It seems like a fair
comparison.

------
StavrosK
There was a post about this yesterday, but I'll upvote it because it needs all
the exposure it can get.

------
wgd
I really like the overall result of Persona when used for logging into a web
site, but has anyone come up with a good way of integrating Persona login with
mobile apps or APIs?

I suppose mobile apps would ideally use some sort of Persona login service
provided by the underlying OS, and until such a thing exists I guess an app
could reimplement all the user-agent logic and load the user's login page in a
webview. But I have no idea how at all I would go about designing an API for a
website which uses Persona for logins.

~~~
callahad
We don't have a good path for native apps, yet. There have been a few
experiments using Persona in native iOS (Pancake) and Android (Soup)
environments, and it apparently works great in PhoneGap apps, if you use the
ChildBrowser plugin.

The bug to watch is this one:
<https://github.com/mozilla/browserid/issues/2034> supporting environments
without popups will clear the way for good native SDKs.

------
lukev
Other than the benefit of using strong crypto under the hood, I'm not sure
what benefits this has over a system like openid. It has about the same level
of interactional complexity, and at the additional cost of requiring browser
support.

If we're going to have browser support anyway, I'd rather just use standard
two-way SSL and put the work into developing better UI and private key
distribution systems for it. It's even more secure and has a great user
experience once you've set up the key in the browser and authorized it to the
site.

~~~
shantanubala
Usability involves more than one target audience: it also has to be easy for
developers to integrate.

BrowserID (Persona) took me minutes to implement. On a non-trivial project, it
may take a couple hours. The beauty of this _is_ the fact that it still works
without built-in browser support. It's designed to be a forwards-compatible
API that only becomes more usable with time.

Additionally, email is an excellent way to establish a user's identity, and
the fact that it's designed around email makes it easy for a regular person to
understand its authentication flow.

The problem with SSL is that it is an all-or-nothing technology. There's a
chicken and egg problem: people won't make good UI for it until it's widely
used, but people won't use it until it has a good UI. Persona provides an
implementation of BrowserID that has a decent UI, and the user experience will
only get better with time as more people use it. The chicken/egg problem is
solved there, but two-way SSL right now is practically unusable for anyone who
isn't very familiar with it (most people). Using an email address is _very_
familiar, though.

~~~
StavrosK
I've forgone traditional auth in favor of Persona because there are just too
many advantages. The user might already have an account, the flow is very good
if they don't, it takes literally three minutes to integrate django-browserid
(or whatever it's called now) versus skinning quite a few templates for all
the login and reset forms, it saves the user from having to remember yet
another password, etc etc.

I couldn't be happier with a signin solution. It even complements my legacy
solution very well, you can see a demo at <http://www.yourpane.com> (click
"Persona", never mind the email field.)

------
flashmob
Does persona reveal your email address to the website that you login to?

OpenID usually doesn't reveal your email address.

For example, when logging in to Google via OpenID, google will only send back
a unique identifier that means 'yes, the user has a google account' but no
other personal information. Yahoo does the same.

(of course, it's possible to use OpenID extensions to get a user's email at
their discretion)

Does persona work in the same way?

~~~
Flimm
Yes, Persona does reveal your email address to the website you log in to. This
is considered a feature, because:

1\. It prevents lock-in to Persona. (If you want to migrate away from Persona,
you can just send the users an email and introduce the new authentication
mechanism.)

2\. Most websites will need some way to contact the user, and will ask for
their email address any way.

3\. Users understand the concept of email addresses as identifiers.

If you care about keeping your email address private, you can always use the
features your email provider offers such as forwarding email addresses.

------
vivab0rg
Just integrated it on a personal Padrino project. Beautifully simple user and
developer-side. Congratulations and thanks Mozilla!

