
What did Persona get right? Why did Persona fail to gain wide adoption? - cpeterso
https://wiki.mozilla.org/Identity/Persona_AAR
======
buro9
We use Persona at Microcosm, so you can see it in action on sites such as
[http://forum.espruino.com/](http://forum.espruino.com/) and
[http://forum.islington.cc/](http://forum.islington.cc/) , just click sign-in
and you're there.

For our use-case Persona is great. I've personally built the "web account"
solution several times for different clients and I did not want to build it
again. Persona is the lightest drop-in and easiest to implement solution you
can imagine, and it works extremely well.

We've had a couple of issues, but nothing of significance. Mostly these have
been us doing things unexpected, i.e. pre-loading user accounts obtained face-
to-face and the case of the user@ part of the email address differing from the
Persona provided email address.

I personally also wish that persona.js is added to CDNJS to increase the speed
by which it's served.

What we found through asking, was that people feel very protective of their
Google, Twitter, and Facebook accounts. They will sign in with them, but
there's a wariness of doing so as they do not want to be spammed, have things
posted on their behalf, etc. These fears mostly apply when people first arrive
on one of our sites. We wanted a lower friction to that initial sign-in, and
we feel that Persona gives us this.

We also found that on interest-based communities there is a reticence to
associate real-identity to the nerdiest of their interests. This meant that
not using Facebook and Google is a good thing in our scenario.

One of the things we like about Persona is the user experience. For our
product, simplicity and ease are core goals. Persona helps rather than hinders
on this front.

We _really_ like Persona and hope that it remains under active development for
a long-time.

We are not of the belief that it's failed, simply that it's a slow-burner and
needs some marketing support.

~~~
jspash
My first and only experience with Persona is oddly enough, to log into the
Islington CC forum (small world) and I found the whole experience oddly
disconcerting. Am I logged into Google or Microcosm? Do I have to stay logged
into my Google account? What does firefox have to do with my Gmail account?
What is Persona and what do they have to do with anything?

I had lots of questions and none were answered on the nice minimally designed
log in page. All of a sudden I'm sent to Google, but I don't want my work
account associated with ANYTHING outside of work. Ok, I'm smart, I can just
log out and no link will be created. I log in with my personal G account and
everything seems ok. But now I have to log out/in again to get back to work.

Why all this trouble? I have a password manager, and it can easily remember
another 30 character password. If it gets hacked, the damage is limited to a
forum that I occasionally visit. No biggie. But now, everything is linked to
everything else and who knows what is happening in the background that I
agreed to because I didn't read the small print.

Ok, I'm being a bit dramatic. But personally I don't like services to mixed.
That's all it comes down to.

One last thing, you mention that people didn't like associating real
identities etc, but the only way I could log in was by associating my real
identity from my Google account.

~~~
buro9
Disconcerting, that's not come up in any of the UX testing or feedback we've
received recently.

In our earliest version (last summer) we had pushed the "Sign In with Persona"
branding but later moved to just saying "Sign in". But that was caught in UX
testing and we did change that so that it was clearer (by saying less) that
you were signing in to the site you were on (Islington CC).

> the only way I could log in was by associating my real identity from my
> Google account

The great thing about Persona is you can use any email you wish to login to
something. You can choose to use an email address that is associated with real
identity, but just as easily you could've chosen not to.

The advantage Persona supplies is that even if you do choose to use an email
associated with real identity, Google (or the email provider, e.g. Facebook)
will only see a "Sign in to Persona" event, and will not have additional data
revealing that you had signed in to Islington CC (in this case).

Persona effectively acts as a behavioural data firewall that grants you sign-
in with email ability, but without leaking your behaviour activity back to the
email issuer.

If you have any feedback on how you think we can improve this from our side
(the forum software), just email me: david@microcosm.cc

I've yet to write FAQ support documentation, and I think you could help
provide a lot of the questions around sign-in for me to answer.

~~~
jspash
Thanks for the explanation. Maybe my experience was tainted by the myriad
times I've been asking to sign in to a service using Facebook, only to be met
with a form asking for my name, email and password. So what was all that FB
nonsense about then? So to be fair, the Persona procedure was painless in that
respect.

Something that would have been helpful would be a bit more information at the
first point of contact with Persona. Ok, so I've just gone to the site and
clicked the Sign in or Register link, and the pop-up (ugh) that appears
doesn't really explain anything. It asks me to sign in with my email. But you
don't have my email yet. What am I signing in to? Is this one of those FB
logins where you already know everything about me? And where is the
registration page I was promised? I was given a choice, but now one of those
choices is gone. There's a bit of a disconnect there.

Soldiering on, if I enter a gmail email then Google's presence makes itself
known. Why? Did I accidentally click a bookmark or something? Google wasn't
mentioned before. Did I fall victim to a xss attack? No way am I signing in to
this pop-up asking for the keys to the kingdom. I know I'm sounding a bit
thick here, but I'm 100% certain my mother would've bailed by now.

What is missing is some explanation as to why certain info is being asked for,
and will it be shared with anyone. I have the option to agree to T&Cs and a
Privacy Policy, but I still don't know why. Yes, I could click on the Learn
more link at the bottom of the page, but I don't feel I should have to. I just
want to register with the forum.

Anyhow, I'll put chicken little back in the pen because I think I'm being kind
of harsh. I applaud services such as Persona, but I've yet to use one that I
would compel me to integrate it into one of my websites. If I can think of any
more constructive criticisms I'll be sure to pass them along. Cheers!

~~~
StavrosK
How does something like the following sound?:

For this service, you can sign in with your email address. If you are using
one of the supported email providers, you will be redirected to them to finish
signup, otherwise you will be asked to create a Persona account. Your email
provider will not know which sites you are signing in to, and we won't know
your email password or other data.

~~~
barrkel
I just tried out the forum.islington.cc registration (without being logged in
to Google). The way it redirected me to a Google sign in when I gave a gmail
address made me think it was going to end up using OpenID at the back end,
something I have never used Google for.

Personally, if I _had_ to register for an account on a site that used Persona,
I'd create a special barrkel.persona@gmail.com address (or something similar)
to firewall it from my other gmail accounts.

------
patio11
In the spirit of helping out my fellow developers at Mozilla, who I respect a
lot, I would like to add one additional cause of failure, in the knowledge
that it is a bit bracing but is really important and should inform project
selection in the future:

Persona fails to solve a problem which either end-users or people who operate
websites for profit actually have.

~~~
Pacabel
This is just another symptom of what I think is a prolonged stagnation at
Mozilla. I suspect they've lost touch with the needs of their users a lot of
the time.

Firefox hasn't been in a good place lately. Most of the changes since Firefox
4 haven't been to the users' benefit. It's like these changes have been more
about imitating Chrome, regardless of whether or not this is good for
Firefox's users. Yet Chrome is still superior where it really matters, such as
performance and resource usage. If Firefox users are just going to get a
Chrome-like experience these days, but not as good as that offered by actual
Chrome, then they might as well just move to Chrome. And I think that's
exactly what we've seen, and why Firefox' usage numbers are dropping.

We see the same with Firefox Mobile. It really isn't superior to the
alternative browsers in any way. In many ways it's significantly inferior.
There's really nothing to pull users to it.

Thunderbird was perhaps their second most useful product, after Firefox. Yet
they've basically given up on it now. I know I've migrated to another email
client, and many others have chosen to do the same, too, now that Thunderbird
doesn't really improve over time. Even then, the changes we've seen lately
have been more harmful than good. The UI is less usable now than it was in
earlier release, for instance.

Firefox OS is another example. It really doesn't offer anything tangible over
Android, iOS, or the many other mobile OSes that already exist and already
widely available on many devices. In fact, it offers a very limited
development environment compared to the alternatives, which surely doesn't
help its case. The only reasons I've heard to use it are ideological, about
Mozilla somehow being "more open" or something of that sort. That's just not
enough to gain real traction, I'm afraid.

And Persona is yet another example. It just doesn't meet the needs of its
potential users.

Rust is perhaps the only interesting thing I've seen coming out of Mozilla
lately. But it has taken a long time to get to where it is, and I'm not sure
if it still has the momentum to have the impact that it might have had were a
stable version available a year or two ago. Go, and even C++11, can now
provide a lot of its benefits today, if not much earlier.

I think there's been a lot of wheel-spinning at Mozilla lately, in terms of
their offerings. Their successful products are being ignored or actively made
worse, while their new offerings don't actually benefit a wide audience, or
offer an insufficient amount of benefit.

I'm not going to pretend to know how to fix these problems, but focusing on
product that users actually want, and giving these users the functionality
they want, may be a good start.

~~~
pcwalton
> Go, and even C++11, can now provide a lot of its benefits today, if not much
> earlier.

The main benefits of Rust are (a) bare metal performance with zero overhead
with (b) memory safety, for security and developer happiness. Go lacks (a),
with its mandatory runtime, garbage collection, and ecosystem based around a
non-optimizing compiler, and C++ lacks (b), with its memory safety problems
that are real, pervasive, and cannot be fixed without breaking backwards
compatibility. What you said is only true if by "a lot of Rust's benefits" you
mean "basically none of its benefits".

It sounds like you are unhappy with some of the user interface decisions in
Firefox and are trying to use this story as a way to spin this out into some
sort of narrative of Mozilla's decline and stagnation.

~~~
Pacabel
I can use Go and C++ today without fear that code I write now won't be able to
compile next month, due to significant language and/or library changes. The
same cannot be said for Rust.

Since I can get perhaps 90% of the benefits of Rust today using other
languages that I can actually use seriously, I might as well just use them.
Had Rust been more stable in 2012, maybe it'd be a different situation today.

And you can read my original comment again, if the big picture isn't clear to
you. I hope it's obvious then that this is far more than just a few bad UI
decisions involving Firefox. That is an issue, of course, don't get me wrong,
but it clearly goes much beyond that.

Almost all of Mozilla's major projects, from Firefox, to Thunderbird, to
Firefox for Mobile, to Persona, to Firefox OS, and even Rust are suffering
from some pretty serious detachment from the needs of their users. This is
resulting in a decrease in adoption, like in the cases of Firefox and
Thunderbird, limited adoption in the case of Firefox for Mobile, or basically
no adoption in the cases of Firefox OS, Persona and Rust.

~~~
kibwen

      > Since I can get perhaps 90% of the benefits of Rust 
      > today using other languages
    

Incorrect, unless you're one of the rare few using Ada or Cyclone. Bare-metal
memory safety is fundamentally impossible in both Go and C++.

    
    
      > Had Rust been more stable in 2012, maybe it'd be a
      > different situation today.
    

Incorrect. I was there! And trust me when I say that 2012 Rust was very far
off the mark. Rust is a language that was designed to be released in 2014, not
2012 or 2006 or 2038.

    
    
      > Almost all of Mozilla's major projects, from 
      > Firefox, to Thunderbird, to Firefox for Mobile, to 
      > Persona, to Firefox OS, and even Rust are suffering 
      > from some pretty serious detachment from the needs 
      > of their users.
    

Citation needed. By any estimate, Firefox still has a fifth of all web
traffic, with 500 million users. Firefox for Android has between 50 and 100
million downloads and is the highest-rated browser on the Android app store.
Firefox OS continues to find new carriers and launch in new territories, which
is more than can be said for Tizen or Meego or Symbian or Ubuntu Touch. And
even though Rust hasn't even launched yet we're seeing month-over-month growth
in traffic on every outlet.

Your narrative really needs some rethinking!

------
clarkevans
I simply don't understand this blog entry. I guess it's their official project
resignation... OK. Even so, it seems misinformed about the adoption problems.
Persona, to me, seems a truly lovely solution to a difficult problem. It was
successful, just at the beginning of a hard adoption curve.

What's missing is fully functional, advertised implementations of the Service
Provider, that work with LDAP and ideally older Kerberos backends. What's
missing is the native, built-in interface. What's also missing is a SLA... big
players can't adopt it unless Mozilla says they are going to support it.
What's missing in Persona is a promise to have the code security audited and
get it passed federal agencies. What's missing is some grass-roots effort to
get it into universities.

What they list as failures aren’t exactly. So, there are some UI issues.. but
those aren’t the problem. The Persona service was meant as transitional, till
native implementations appeared. It's not going to adopt itself, they need a
"Sales Engineer" full time working on adoption. Hell, they could even _charge_
people for that sales engineer and many would pay for it. The alternative to
Persona is Shibboleth/Kerberos, and Persona kicks it.

~~~
Osmose
Note that this isn't a blog entry, it's a wiki page. We (Mozilla community)
often use the Mozilla wiki as a place to store long-term notes or information.

Barring vandalism (which this isn't), you can think of it as a public internal
wiki for Mozilla, that has pretty much everything we're allowed to make public
(Unlike HR stuff for employees, which goes on an internal wiki) that we want
to write down.

(This doesn't address your argument, just wanted to clarify that)

~~~
maxcan
So, to confirm, is it a post-mortem or not? I'm about to launch a fairly big
project using Persona and would love to know if its a bit to get shut down..

~~~
plierhead
Same!

So far, it seems to me that persona is an incredibly useful technology in our
space (Enterprise SAAS apps). Our space is populated by lots of apps that have
various shitty login systems, but one thing they pretty much all have in
common is an email address - and Persona seems to be a killer SSO system for
securely leveraging/livening up these existing databases of email addresses.

Unless I'm missing the point, I don't see much alternative either. Just
looking at the traffic from the Persona communit reinforces to me that I never
want to be building my own authentication system - even if persona were to die
as a project I would be better off cloning it than writing my own (or giving
in and using social login, which is pretty undesirable in the enterprise
world).

------
RaphiePS
I think they're spot-on with the idea that it needs to be integrated into
sites rather than appearing as a separately branded popup.

I tried it out on a site I was building a couple months ago. Every time I had
a non-"techie" user try it out, they got confused. What's this popup? What's
Persona? What am I signing up for exactly? It was just bad UX.

That said, I think there's a very real need for what they're offering. I don't
want to store passwords myself, even if they're hashed. I also don't want to
re-implement forgotten usernames, passwords, reset emails, etc. It's a bother,
I'd rather focus on my app rather than a solved problem like this, and to be
honest I don't quite trust myself enough to get it 100% right.

So, I think it would be the best of both worlds to offer auth as an API rather
than providing their own experience. As in, I could just call
Persona.login("username", "password", ...) and get back an assertion. I really
hope they go in this direction.

~~~
sirn
UX is one major problem with Persona. I built a small site that used Persona a
while back (without offering any other login choices) and most user can't
figure out _how to sign up_.

Facebook login as a separate brand works because user already knows and uses
Facebook. This is completely opposite in Persona case. User don't already have
Persona "account" and they don't understands why should they sign up for it.

IMO, Persona should aim to replace _classic login_ instead of social login,
e.g. by making Persona nearly invisible to the user.

~~~
yggdrasil
_Heartily_ second the idea of Persona being re-rolled as classic login
replacement, with emphasis on standardizing login best practices, such as
password strength, password format disclosure, input naming that plays nicely
with other password management systems, etc. The sheer amount of cruft and
non-standardization involved with basic site login actively discourages user
involvement. If Persona solved _that_ unobtrusively, they would be adopted and
evangelized all over the land.

~~~
mgreg
And I'll 'third' the suggestion. Would love to see a SSO option that didn't
bleed private info and wasn't linked to someone trying to make money from my
data.

------
drdaeman
Could we please consider not implementing something completely new, but fixing
TLS client certificate auth, finally making it _usable_? Every browser out
there supports this already, but UX is horrendous. All what was relatively
polished over the years was the presentation of server certificate when you
click on lock icon in location bar. The rest (selection of client certificate,
generation of a new one, viewing a backing up of installed ones) remains
needlessly scary to use by ordinary humans, so it can't be used except if we
know users are quite tech-savvy.

Instead of bringing a new technology with known downsides (like
[https://news.ycombinator.com/item?id=7219034](https://news.ycombinator.com/item?id=7219034))
we could give a second life to a known and provably working one. Doing so we
could promote security (HTTPS), anonymity (not giving email address by
default, unless one's provided with a signed certificate, chosen by user's
decision) and independence from any service providers (including email and
domain registrars) at the same time.

(Added after an hour) To illustrate my point:
[https://www.dropbox.com/s/fn4nuwszt5buuzd/tls_auth_ui.png](https://www.dropbox.com/s/fn4nuwszt5buuzd/tls_auth_ui.png)
(mad design skills and windows 8, sorry for both; wording is not changed but I
suppose it needs improvements, too)

------
inopinatus
I rejected Persona out of hand at the time[1] for the design gaffe of using
HTTPS at the root of a corporate website[2] (worse, via a _DNS apex A record_
[3]) as the identity-provider infrastructure discovery mechanism.

I haven't reviewed the protocol since maybe a year ago, but my view then was
that system administrators within enterprises could only adopt Persona as
identity providers if federated discovery was via records in the DNS, as the
lords of protocol design intended, preferably SRV records at that.

Not the only barrier to adoption, perhaps, but definitely one of them. No-one
substantial was likely going to use anything but the Fallback server, and
there is no commercial reason to choose that rather than social-media-SSO
where you'll enjoy the marketing bonus of reaching their outbound feed.

[1]
[https://news.ycombinator.com/item?id=5447097](https://news.ycombinator.com/item?id=5447097)

[2] a !! blunder because marketing won't let you in many organisations. also
because most sites won't even have a port 443 https listener, let alone a
valid certificate, on the apex A record. all this indicative of lack of real-
world experience by the designers.

[3] a !!!! blunder see e.g. [https://devcenter.heroku.com/articles/apex-
domains](https://devcenter.heroku.com/articles/apex-domains)

~~~
StavrosK
DNS is a good option, but you'd need DNSSEC, which not many people have.

~~~
inopinatus
Persona is already using DNS for resolution, just very badly.

I just went looking. There's a whole thread over here:
[https://github.com/mozilla/persona/issues/1523](https://github.com/mozilla/persona/issues/1523)
&
[https://groups.google.com/forum/#!msg/mozilla.dev.identity/d...](https://groups.google.com/forum/#!msg/mozilla.dev.identity/dP44TDzBnhI/3MijAKI1oR8J)
where the developers effectively shitcanned the idea of using SRV records
because they fear DNSSEC. Hilariously ignoring the huge elephant in the room
viz. that they were already relying on DNS to resolve endpoints.

The verification, the trust, comes from TLS with a valid cert, and that
doesn't change, however you located the https listener in the first place.

Even better, though, if you did use DNSSEC you can validate a self-signed cert
via DANE/TLSA rather than having to buy one from CrappyCA. And that would make
the ISPs _very_ happy.

~~~
StavrosK
As I explained in issue 1523, the above is misunderstanding Persona and
conflating various issues, and is wrong. Pretty much the only way Persona uses
DNS is to perform an A lookup to get the user's domain, which could be SRV (or
have an SRV fallback instead).

The issues above talk about delegation, which is a whole other matter.

~~~
inopinatus
No, that is exactly what I'm saying. It should be an SRV lookup to find the
support document. This solves a lot of problems. No misunderstanding here. You
may actually be in total agreement with me.

~~~
StavrosK
I am in agreement with you, but the misunderstanding is about DNSSEC, etc. The
only reason SRV records are not used for that is probably that nobody
suggested it (it's a good idea, you should probably open an issue).

------
muyuu
Lack of promotion. Most people don't know what is it. Possibly this will
improve over time.

Also, why are you guys talking about Persona in past tense? sounds like you're
dropping the project.

~~~
StavrosK
I agree with the first part, and was also puzzled by the second part. Are you
guys dropping it? I don't think there was enough of an effort made to consider
it a failure, creating a new login system for the web won't take three months.

------
Aissen
Another point. Not everything is web-based (I know it might be hard to believe
at Mozilla), and the fact that you have to use javascript to access the API is
also a limiting factor.

~~~
sehr
This is a service _specifically_ for web based applications.

Most, if not all users have JavaScript enabled. The ones savvy enough to turn
it off, will also be able to turn it back on.

~~~
jamesgeck0
When I first looked at Persona/BrowserID eons ago, there were non-web ways to
use it. I remember some examples given that worked in a terminal or with an
embedded device.

------
onli
I really like Persona. I use it (with the browserid gem for sinatra) for a
couple of my side projects, as the only login option. It works great when it
works and developing without having to bother about password management is
great, though I first had to get my head around how that concepts works,
serverside, that I have to remember an email address of a user in the database
to assign him special rights (example: admin of a blog). What I didn't like,
though granted, some of that is not very universal:

1\. I made a small user test with it, and all user failed to complete the
login, iff the email was new to persona. Because then, the new account has to
be activated by email, and the link in that email lead to the persona account
management. All users were confused by that and asked for confimation what to
do, when confronted with the email confirmation message, and all of them got
stuck in the new tab with that account management and were unable to return to
the registration page on its own.

I understand that it is possible to change that link, though I didn't find
that parameter at that time and marked it as an issue to fix later (A quick
search just now showed nothing). And it might be a gem thing. Still, bothered
me.

2\. I would have loved a demo mode that works offline (maybe that exists?).
Had spotty internet for a while and it was very bothersome to test the persona
part of the project, as the registration/login worked only every 10th time, if
at all. That was so cumbersome that I stopped working on it till I got a
better connection. Which also means that a user with a bad connection won't
have fun with persona, not resilient enough.

3\. I don't like that the name was used for another FF-Project before (FF-
designs, if I'm not mistaken) - if that confused me at first, it might confuse
users. Have no better alternative though (maybe I would just brand it _Email
Login_ ).

4\. The browserid-gem for sinatra doesn't work with ruby > 1.9.3, and the
maintainer does not fix the issue even though there is a working patch in a
pull request. So instead of just having to specify the gem in my gemfile, I
have to provide the link to the alternate github implementation. I hate that,
that does not feel safe. I tried to look up how a gem might be replaced with
another one and found nothing about how that (or the gem infrastructre in
general, note that this was while having no really usable internet connection)
work.

------
talex5
The page is more positive than the title. It recommends:

* Persona should be pared down to its core: a decentralized email verification and login API for the web. No more session management, no attribute exchange. * Persona should be built natively into Firefox, Fennec and Firefox OS to make the JavaScript shim unnecessary on these platforms. The base functionality should be cross-browser, but the experience should be optimized for the native platforms. * Sites should control most of the user flow and Persona should be almost invisible to users. * Sites should be able to offer these benefits to their users with a native UA implementation: better UX, reduced login friction and phishing protection.

All of which sound great!

BTW, has Persona reached 1.0 yet? Last I was aware, it was still in beta,
which might partly explain the lack of adoption.

------
cryptolect
It failed to get wider adoption because the average consumer doesn't see the
problem they solve as a problem. There's a far small potential userbase who
recognize the privacy benefits of the Persona system.

~~~
return0
I don't think privacy is the main problem they solve, but the user's need to
skip the tedious signups all the time.

~~~
nzp
Which they can already do with accounts they most likely already have:
Facebook, Google, Twitter, LinkedIN any OpenID provider... So the only
potential benefit of Persona is the privacy, and if a user doesn't care about
that then it's just another account you have to worry about (i.e. the very
problem it tries to solve). As it stands, Persona's problem is that it just
reinvents the wheel with slightly different spokes when people already have
wheels that they consider good enough.

------
enewc
What did it get right? It can be useful and it's backed by a solid brand.

Why did Persona fail to gain wide adoption? For the most obvious reason:
because nobody cares. People don't want to use something new unless there's a
pressing reason. Trivial conveniences don't cut it.

------
blueskin_
Because it's Yet Another Pointless Single Signon.

I don't see the point compared to having separate logins so if one is
compromised, others aren't. Even past that, that space is already hugely
cluttered with OpenID, OAuth, Facebook, Gmail, Twitter...

Persona is a solution in search of a problem.

~~~
petercooper
I hope I'm wrong but Firefox OS feels similarly to me so far.

~~~
blueskin_
Firefox OS seems like a joke, and I'm sure it only being on low-end Chinese
phones reinforces that.

------
rpwverheij
"We made Persona a user-visible brand but that competed with a site's own
brand."

This would indeed have been the main reason for me not to use it. I have not
been in a position to implement login functionalities recently, but when I do,
I will still strongly consider Persona, and even more so if the Persona brand
can become almost invisible as it says in the post.

------
aragot
I have hard times explaining the added value of Persona over OpenID. It's just
the privacy and even tech people don't see that as a point.

So I searched on Google, and this probably didn't help Mozilla:
[http://security.stackexchange.com/questions/5323/what-are-
th...](http://security.stackexchange.com/questions/5323/what-are-the-
downsides-of-browserid-persona-compared-to-openid-oauth-facebook)

------
return0
I was put off by the name. BrowserId was an OK name, but FirefoxId would be
better, to leverage the good name of firefox in the user's mind.

~~~
ChrisAntaki
Definitely. Persona sounds too Personal.

~~~
tommorris
It's also confusing branding because Mozilla used to refer to browser branding
as "personas".

------
TeMPOraL
How about

* we didn't give some people a way to join?

I don't know whether it is my Internet disability manifesting, or some kind of
weird region limiting or sth., but in last 6 months I tried to create a
"Persona account" several times, followed the instructions precisely, and
always ended up with a nonexistent "register"/"create account" button.

Was Persona account creation disabled at some point in time? Why wasn't it
clearly stated anywhere on the page? Or am I _that stupid_ and can't see a
register button?

~~~
Osmose
This highlights another one of the problems, which was explaining what Persona
was to people.

See, there's _technically_ no such thing as a "Persona account". Persona is a
system that lets you log in with an account that works with the system.
Someone who provides an account that supports Persona logins is called an
Identity Provider, or IdP.

However, most places don't work with the system when it first comes out, so
Mozilla provided a "Fallback IdP" that just did straight up email
verification. Getting your account from the Fallback IdP is what you probably
wanted to do, and AFAIK the only way to do that was to essentially attempt to
login with an email that didn't have an account with the Fallback IdP, which
would trigger the verification step for you to create an account.

This is a bad mixture of a) A confusing concept that's really hard to explain,
and b) Bad UX around the fallback IdP and getting an account with it,
especially if you don't assume clicking "Sign Up" will work for you.

It's complicated by the fact that, if one of your goals is to get other login
systems (like Facebook or Google) to support Persona as an IdP, you don't
necessarily want to push people towards creating accounts with the fallback.

It's hard to get all these things right, and I agree that Persona needs some
more work to find a good solution to the problem of creating accounts that
work with Persona.

~~~
mgreg
You hit the nail on the head here. I'd add that if part of persona's success
is tied to getting email providers to adopt it by becoming an IdP then it's
likely a flawed model. Why would google support/promote something that
competes with Google+ sign up bit offers a poorer ux and robs th of the data
they crave?

------
usrusr
Users are very much accustomed to accepting the security and privacy
implications of conventional web logins. Persona promises to improve on that
by introducing itself as a third party. However, users with a trace of
security awareness will be skeptical of promises like that and will
subconsciously do a simple equation in their heads: if everything else fails
(the promised improvements), then more involved parties imply less
privacy/security. Getting beyond that point requires at least a level of
understanding that allows for a rough estimation on a scale between "totally
bogus" and "this might actually work if done right".

------
maho
I never even knew what it was, because I confused Mozilla Persona (some
authentication thing) with Firefox Personas (themes for Firefox - note the s).

------
jeena
I'm not sure why I don't see other people complaining about this but I myself
tried to be my own Browser ID provider and after trying to install it for a
couple of days I failed. Now I still have to use it with Persona which is just
another centralized login system.

------
belorn
When Persona was released, they split the FOSS crowd between OpenID and
Persona adoption. Having two similar tools that solve the same problems
(regardless of which one is better) did nothing beyond create two incompatible
camps, each advocating for one while discouraging adoption of the other. I see
it as a rather large blind spot of Mozilla to not recognize this.

As an administrator, I would also like to complain about this behavior from a
practical viewpoint. Spending first mindshare and time implementing OpenID to
solve a real problem, Persona came like an unwanted alternative to a solved
issue. Had they joined like an upgrade (i.e. backward compatible with OpenID),
my reaction would to be an advocate rather than skeptic.

~~~
StavrosK
When Persona was released, OpenID is already dead. I implemented OpenID on a
few sites (I was an early proponent) and had nothing but trouble. Nobody could
remember their OpenID URL, whereas everyone knows their email address.

------
hippich
Tried to register on forums posted here as an example of Persona integration.
Have gmail email, so no password authentication (OAuth or OpenID instead.) Did
not work due third-party cookies blocked in my browser. Sorry, this is not
going to work for me.

------
abofh
"Users and developers trust Mozilla and want us to fix identity on the web."

Maybe it's just me, but I trust iceweasel, a firefox derived browser that
originates from Mozilla, but their continued increased interest in
accumulation of browser and user data (albeit more anonymized than google et
al), does not lead me to trust them.

I accept persona is designed to protect against id-provider leakage, but when
my id provider also has hooks to my browsers anonymous statistics and crash
logs - I don't accept it's really private or trusted. (Same reason I don't
login to chrome either...)

~~~
socksy
Your viewpoint is almost certainly in the minority here.

------
kmfrk
I don't find Persona compelling, but I do think they offer an interesting
value proposition for people - and framework developers - who have to
implement their own user authentication.

Even Django - which is about as close to the proverbial bicycle with training
wheels as you can get - can be a pain, especially after django-registration
was abandoned. The Django documentation was never really good either, to make
matters worse.

It also makes writing guides that much simpler, so although Persona doesn't
hold much sway in a vaccum, it's great to have as a pragmatic option.

------
neil_s
what would make Persona a killer solution for me is if it could hand out
disposable email addresses to every site I sign into, that forward
transparently to my main address (a la Gishpuppy). This way, I can identify
which site is the cause of me suddenly receiving a bunch of spam (whether
they're doing it themselves or their email database was hacked). Then its a
simple question of disabling that disposable address from forwarding to my
private one, and notifying the site that their database might be exposed.

------
Oculus
Wait, is this a postmortem as in Persona is being discontinued?

~~~
quadrangle
It sure reads like that. What the heck‽ It is a good system and just needs
continued work and support. This is a very poor way to announce a
discontinuation or a very poor writing style for a reflection on an ongoing
project.

------
Siecje
So I want to use Persona. So I go to
[https://login.persona.org/](https://login.persona.org/) and there is no "Sign
Up" just "Sign In". So I enter my email which is through GMail and it is
asking me to choose one of my Google Accounts.

1: I want Persona not permission to use my Google Account with another
service. 2: I entered an email why would I want to use a Google Account with a
different email?

~~~
jamesgeck0
1\. It's decentralized; email providers provide the authentication. Google
doesn't directly support Persona right now, so Mozilla is supporting them via
an Identity Bridge that hooks into Google's OAuth functionality. Google
doesn't see what site you're signing into, just that you logged into a thing
using Persona. Before Identity Bridges, you had to click a verification link
in an email; this is a lot better.

2\. I don't think Google exposes a way to use OAuth and skip past the list of
accounts.

------
brianbreslin
As a FORMER firefox developer (add-ons), I think my reasons for persona not
taking off are as follows:

1\. value proposition for developers was never clear

2\. many saw it as a firefox only thing

3\. chrome usage is overtaking firefox

4\. I felt burned by developing for firefox in the past, why was I going to do
it again (this is me personally, and is likely my #1 reason)

5\. Never saw how it simplified my users lives.

6\. I saw it as another waste of time like openID ended up being (and I loved
the idea of openID, but so few people ever used it).

/rant

------
TazeTSchnitzel
The session management Persona does is a pain. It's great for single-page apps
and awful for traditional web apps.

~~~
jessaustin
It does seem inelegant that I can't seem to avoid having _two_ sessions:
Persona's and whatever I have for my site. I'm not sure how the two ought to
be combined, or even if the Persona session is necessary. I guess maybe
Persona can just confirm the email association whenever the site requires it
and just stay out of the loop otherwise.

------
paulftw
It is really great that they have guts to admit the failure. Though this
confession is a bit overdue, I hope they've learned the lesson and some day
will come back with a better solution. No doubt that the problem is really
worth solving.

------
dcc1
I use it on several sites, and it works quite fine, The problem is with users
they are so used to registering with "omgonies/1234568" into sites that
federated login is weird to them

~~~
anonymfus
The right way to solve problem of disposable logins on your site is to support
anonymous access for everything that registered users can do.

------
alanh
Is Persona dead? Why does the post say “did fail” instead of “has failed (so
far)”? The latter would imply that ongoing efforts will be made.

------
novaleaf
make it work with oauth, then at least i can support it without redoing my
entire session system.

------
woah
I really hope it works out. So easy

------
zobzu
for the record the main reason for adoptions issues around me seem to be: i
got a fb/googke/twitter account that let me login too. i aint making a new
account/pass. privacy? i care but not enough for that

------
chris-at
Does Persona support native iOS/Android apps? And if not, why?

------
Osiris
A classic case of less is more (or better).

~~~
gcb0
not really. the biggest problem was no adoption from larger sites, while most
of them offer facebook login...

quote: We looked at Facebook Connect as our main competitor, but we can't
offer the same incentives (access to user data).

~~~
patio11
That quote is _alarming_ to me, because it fundamentally misunderstands why
companies choose to use Facebook Connect. Absolutely no B2C company in the
Valley has ever decided to use Connect because it lets you slurp in
demographic information. They do it because of a) a mostly mistaken belief
that it increases conversion rate to a signup and b) a mostly accurate belief
that after you get someone to Connect you're going to be much, much more
successful at getting your content on their wall as a viral distribution
mechanism.

~~~
gcb0
your second point is almost the same as the quote but worded differently.
access to user data and/or easier access to their fb wall...

------
crystaln
Sounds like persona should have just been a trusted oauth2 provider.

------
aaronsnoswell
What was Persona?

~~~
Sprint
Firefox themes I think.

~~~
Aissen
Nice one. Not sure if trolling, but for the record:

\- BrowserID has been renamed to Persona

\- Personas have been renamed to Firefox themes

Yup.

