

Use two-factor authentication for Persona with your own domain - StavrosK
http://www.stavros.io/posts/use-two-factor-authentication-mozilla-persona-your/

======
drdaeman
One of the reasons I dislike Persona and believe it's a step in a wrong
direction, is that after so many problems we had with various
authentication/identity systems it make you lease your own identity from some
third party you're forced to trust.

Some say that I can set up my own Persona server, but my problem is that I
think one can't really own a domain, only temporarily lease it from a
registrar, so it's still the same. In contrast, one can posess a keypair
without the necessity of any third parties (and third parties still may
confirm the identity).

~~~
StavrosK
How is that any different from the current system, where your email address is
your identity, and Gmail probably owns it?

~~~
atmosx
It's not that what he's saying actually, that all current easy-to-use systems
(from Gmail to disqus) are based somehow on third parties. Your solution is
the same, so the privacy breach (theoretically) is there. The good is that I
don't have to type passwords and you probably should promote this persona
feature a little bit more than the privacy thing, which presumes that _we
trust a third party_ while most of us do not.

Good luck anyway, I might try to setup your persona for my website if persona
takes off.

~~~
StavrosK
Sure, that's what I'm saying too, though. Persona isn't a step backwards,
because, at worst, it's equal (and a bit better, privacy-wise) than what we
have now. Otherwise, you can set up your own provider and not need to trust
anyone else (except the domain provider, I guess, sure).

------
johnpmayer
This looks really cool, but I'd prefer a personal tier option that I can host
myself - this is auth after all.

~~~
StavrosK
Indeed, I am thinking of open-sourcing the project so people can host it
themselves if they like, while maybe retaining some extra functionality in the
hosted version. It does mean that the benefit of easy installation will be
negated for self-hosted installations, though.

~~~
mcherm
> It does mean that the benefit of easy installation will be negated for self-
> hosted installations, though.

...and that's OK. You can offer self-hosted for the paranoid (or those who are
not paranoid but merely reasonable and wish to engage in straightforward and
legal activity like communicating with government whistle blowers), and offer
the hosted version for those who value the ease of use. As a consumer, the
fact that you offer both would increase my confidence in the hosted version.

~~~
StavrosK
Yep, that's the rationale behind the open-sourced version. I'd like to see
some adoption before going to the trouble of open-sourcing it, though.

------
StavrosK
drivebyacct2, your comment is dead, although interesting. I will change the
site to mention privacy implications, but what this service can learn about
your logins is basically "you asked to be logged in to an unknown site at some
known date". Persona itself is designed so that your identity provider doesn't
know very much about where you log in.

~~~
StavrosK
Replying to drivebyacct2, nope, the protocol doesn't expose where you log in
(that was one of their explicit goals). It's also one of the reasons I like
Persona so much and decided to make this.

I'm very glad you like it, I am always looking for feedback and would love to
see Persona/Persowna gain more users. Please don't hesitate to email me about
anything (email is in profile).

~~~
Amadou
_the protocol doesn 't expose where you log in_

To be fair, in practicality it does expose where you log in because that
website has to communicate with the persona server. The website could use a
proxy or something to try to obfuscate which website it is doing an
authentication for, but if there is any significant volume it would surely
leak out unless they did it through Tor (and were not the only site doing
persona authentication through Tor either).

What the persona protocol explicitly does not leak is each login event,
checking in with the persona server only happens once during account setup.

~~~
azernik
The website grabs a single certificate from the persona server the first time
it sees a particular e-mail hosting domain; all this reveals is that _someone_
in that domain (no specifics as to who) tried to log in at the beginning of
the lifetime of that certificate in the cache. Until the cache expires, an
arbitrary number of users can log in to the site without any communication
touching the persona server. It doesn't reveal who logged in, when in the
cache lifetime they logged in, or even how many people logged in.

~~~
Amadou
At most that certificate is good for 24 hurs. The user has to get his
assertion signed by the identity provider too, and it is possible to get them
pre-signed up to that same 24 hours. So the window of users is narrowed to the
list of sites that queried the identity provider and the users who had an
assertion signed within those 24 hours. Which is weakly anonymous for high-
volume sites and no protection at all for low-volume cases.

However, the kicker is the protocol doesn't protect against the identity
provider setting the expiration to something like 5 minutes, effectively
unmasking the client and the website by requiring them both to talk to
identity provider within that 5 minute window.

------
mfincham
I am not sure I understand a hosted "authentication protocol implementation as
a service" product.

When's the code being released, and what's it written in? :)

~~~
StavrosK
There are no specific plans, currently. It's Python and Django, though.

