
Why we love Mozilla Persona - 500and4
http://blog.zonino.co.uk/why-we-love-mozilla-persona-and-why-you-should-too/
======
yeukhon
_Persona vouches for you when you sign in. Really neat, no more password
leaking._

The important thing here is that as Persona protocol (BrowserID)'s creator,
Mozilla really really wants someone else (potentially _YOU_ the user) to run
the Identity Bridge. Currently Mozilla does this for non-Gmail and non-Yahoo
users too boost adoption. So when you sign up you are asked to give a new
password on sign up. If you are paranoid, you should of course give a new
password instead the one you use for your email (which I assume may be reused
for multiple accounts...)

But being able to authenticate yourself on your own is what makes Persona
useful.

 __edit __: at realworld crypto, this was given as a talk. This is Google 's
possible direction.

[http://www.ietf.org/proceedings/81/slides/tls-1.pdf](http://www.ietf.org/proceedings/81/slides/tls-1.pdf)

------
ericathegreat
Biggest problem I have with Persona is one of it's main selling points; if you
log in to one place you're logged into all the places. That may sound great,
but it really isn't. It means that you can log out of a site because you don't
want people sharing your machine to have access to it. You then log into a
different, lower-security site. Instantly that first site is accessible again.

I wrote a whole thing on Persona a while back (
[http://lepidllama.net/blog/trying-out-mozilla-persona-
browse...](http://lepidllama.net/blog/trying-out-mozilla-persona-browserid/) )
but that ended up being the killer for me. It might be fine for activities
like posting comments on a blog, but any site which stores or presents some
aspect of who am I to the world needs to be a bit more secure than that!

------
sergiotapia
I love Persona! I created a demo MVC3 application using Persona for
authentication and its fantastic from a developers perspective.

[https://github.com/sergiotapia/ASP.Net-MVC3-Persona-
Demo](https://github.com/sergiotapia/ASP.Net-MVC3-Persona-Demo)

Authentication is simple to implement and you don't worry about user password
protection.

I'm surprised interest has died down for the project given how easy it is to
use. Maybe Mozilla should market it more?

------
Xeoncross
How many people here know BrowserID/Mozilla Persona was based on the
[http://swiftlogin.com](http://swiftlogin.com) project?
[http://www.youtube.com/watch?v=dGQYHOzLMUk](http://www.youtube.com/watch?v=dGQYHOzLMUk)

------
ultimatedelman
We use it at Mighty Spring
([http://www.mightyspring.com](http://www.mightyspring.com)) and it's pretty
good! The documentation around backend setup is a bit confusing and doesn't
cover some corner cases (like testing on dev servers) but with enough hacking
you can get it to work. The front end plugin I went with
([https://github.com/altryne/browserID-
jQuery](https://github.com/altryne/browserID-jQuery)) needed a bit of tweaking
(to both the code and docs, which was submitted to them), but other than that,
relatively easy setup.

Our site is uniquely targeted at developers, so I felt that using Persona as a
login option was only natural.

------
cantfindmypass
Last time I looked into persona, it was essentially unusable for my usage -
there's no reasonable way to use a different email address to sign up for
every site. I like to know who leaked my email address when I start getting
spammed.

Edit: looks like they _may_ have have fixed it:
[http://support.mozilla.org/en-US/kb/how-do-i-manage-my-
perso...](http://support.mozilla.org/en-US/kb/how-do-i-manage-my-persona-
account#w_how-do-i-add-another-email-address-to-my-persona-account)

Though I'm not sure if it remains usable with hundreds of email addresses.

~~~
StavrosK
That's one of the things I needed too, so I built this (sorry for posting it
so much here): [https://www.persowna.net/](https://www.persowna.net/)

You can add your domain as a catch-all, so you can authenticate with
anything@your-domain.com and it will use a single account to authenticate.
Services will still see your custom email address, but you only need one
password.

------
eklavya
If there is one company I can trust my data with, it's Mozilla.

~~~
JoshTriplett
It's funny that the few entities we'd be more inclined to trust are the ones
that go out of their way to make sure we don't _have_ to trust them: Firefox
Sync does client-side encryption so you don't have to trust the server,
Persona does authentication via an identity provider so you don't have to
trust persona.org...

~~~
eklavya
I didn't mean persona when I said trusting with my data. I am just saying if
ever I could trust a company with my data, it would be Mozilla (shows how much
I trust them).

------
drblast
If you're like me and this is the first time you're hearing about this, and
want to know more about the implementation, check the bottom of this page:

[https://developer.mozilla.org/en-
US/Persona?redirectlocale=e...](https://developer.mozilla.org/en-
US/Persona?redirectlocale=en-US&redirectslug=Persona)

Edit: I've checked out the login process in the linked site, and it works
well, but the popup window U/I seems like it's ripe for phishing attempts. It
would be very easy to replicate the look of that window and fool people into
thinking they're using Persona when they're not.

------
sliverstorm
I guess this is just a sign that I am getting crotchety, but headlines like
this just anger me:

 _Why we love /like X, And why you should, too_

My immediate reaction is always something along the lines of, don't presume to
tell me why I should like anything. Tell me why _you_ like it, and be done
with it.

~~~
eruditely
Your anger is misplaced. They did do exactly that.

------
louthy
I use it for [http://www.4four.org](http://www.4four.org) and really like it.

The one small complaint I would have is that it would be great if (after
initial setup) the login process was a bit faster. It should be quicker than
the old-school username and password IMHO, but with the animations and latency
on authentication it all seems to feel a bit sluggish. Especially as the
cookie for it expires frequently - which is a bit shit for users of a forum
where you're normally signed in until you decide otherwise.

This is still in my minor complaint box because I suspect there's tweaks I
could do which I haven't had time to explore yet.

~~~
StavrosK
The site cookie doesn't have much to do with the Persona bridge cookie. For
example, for my sites, I expire users after a month, so they don't have to log
in more frequently than that.

Persona never comes into it, unless they manually log out.

------
amalag
The FIDO alliance is the other major industry standard that is being started.
[http://www.fidoalliance.org/](http://www.fidoalliance.org/)

------
hmans
Persona is _awesome_. I use it on all my sites.

But it also proof that being awesome not only is not good enough to be
successful, but simply doesn't matter. The user is not interested in a
solution that is awesome, but one that doesn't scare him. And a big ugly
third-party popup is as scary as stuff on the web gets these days.

Remember Ogg Vorbis?

~~~
pja
Vorbis ended up being very successful in some niches - audio for games springs
to mind.

Persona might find its own niche, even if it never completely displaces
Facebook user authentication on the web.

~~~
justincormack
And Spotify uses it too - it just is not very visible
[https://support.spotify.com/uk/learn-
more/faq/#!/article/Wha...](https://support.spotify.com/uk/learn-
more/faq/#!/article/What-bitrate-does-Spotify-use-for-streaming)

------
the_mitsuhiko
On of my biggest problems with Persona (and why I stopped using it almost
exclusively) is that the popup dialog is badly designed. For instance it has
email and password as two consecutive fields which confuses my password
manager greatly with different accounts. Secondly does it not work at all for
me on mobile devices.

------
lifeisstillgood
The UK government is about to launch an Identity assurance scheme where
different providers (Post Office etc) check your drivers license then give you
an account hw in is then oauth'able

in short Facebook logins but with actual real names that like governments can
trust

just saying that this might be the start of what usually happens to private
companies colonising what turns out to be a public good

------
jdlshore
I've been using Persona as my sole login mechanism on
[http://letscodejavascript.com](http://letscodejavascript.com) for over a
year. I _want_ to love it, but I don't.

The goals behind Persona are excellent: strong privacy protection and
relieving website operators of cumbersome and error-prone authentication
management. I love the idea. It's why I implemented Persona on my site.

The execution of Persona has been a bit wobbly. Logins are critical
infrastructure and it doesn't feel like Mozilla is approaching Persona from
that perspective. The team has been _fantastic_ (thanks, callahad) but when
things go wrong, it can take a long time for them to get resolved. Meanwhile,
I'm left scrambling for a workaround.

An example: when the Yahoo bridge was implemented, it broke Persona for
everyone who used a Yahoo alias [1]. A nasty break that returned a non-helpful
error message. Something that serious merits an immediate rollback, in my
opinion--but instead, it was left in place for several weeks until a interim
solution was rolled out. The interim solution has some fairly serious UX
problems, but the full solution has been open for 10 months now [2].

I want to love Persona, and I can't really afford the time required to do my
own authentication, but it scares me that I'm so dependent on it.

[1] [https://github.com/mozilla/persona-yahoo-
bridge/issues/178](https://github.com/mozilla/persona-yahoo-bridge/issues/178)

[2] [https://github.com/mozilla/persona-yahoo-
bridge/issues/201](https://github.com/mozilla/persona-yahoo-bridge/issues/201)

~~~
jt2190

      > ...I can't really afford the time required to do my own 
      > authentication...
    

Just curious: What does your perfect solution look like?

~~~
jdlshore
Perfect solution? It works like it was custom-built for my site, is as easy
and predictable to implement as Persona's `get()` API, and of course has
excellent security, privacy, and operations.

I would have been willing to pay for such a thing had it existed when I
started. It would have needed to be proven, though, because I worry about
longevity. The exact price isn't so important, within reason; say, less than
$100/mo. At the higher end of that range, I'd expect it to have some serious
word-of-mouth gushing.

------
latchkey
Here is one of the reasons why I personally believe in and feel we really need
persona:
[https://news.ycombinator.com/item?id=7133965](https://news.ycombinator.com/item?id=7133965)

------
pdfcollect
We used Persona for [http://bit.ly/blibonline](http://bit.ly/blibonline) \-
and one of the problems we faced was that we would have liked the registration
process to let our users tell us the name / icon (avatar), which was missing
in Persona then. Any news on the timeline for these additions to Persona?
(OpenID gives those two elements from registration/usage)

~~~
StavrosK
I think the preferred way to implement this is with an interstitial after the
login, and then they can be changed from the settings page, as usual.

------
workhere-io
Shameless plug: I've made some code examples of how to integrate Persona with
your site: [https://github.com/workhere-
io/personaexamples](https://github.com/workhere-io/personaexamples). The
examples are for Python (Flask) and PHP.

------
krmbzds
I use Persona and I wish more websites supported it.

------
talex5
I really like the idea of Persona, and it's very easy to integrate with your
own site. However, it's still a bit unreliable. For example, clicking on the
zonino login button just opened a mostly-blank page for me (white on the left,
light grey on the right, with a pointy arrow in the middle; a bar at the
bottom says "Mozilla Person...", but no way to log in.

If I do "F10 -> View -> Page Style -> No Style" I see various boxes, but it's
not obvious how to proceed. I entered my email into the top-most box and tried
clicking the "next", "sign in" and "OK" buttons, but none of them responded
(there's also "continue", but that's greyed out). I think I had the same
problem when I tried it last year.

Probably just some browser plugin issue, but would be nice if it were easier
to debug... Works in Chromium though.

~~~
vertex-four
Do you use NoScript? Persona is heavily Javascript-reliant.

~~~
talex5
OK, I finally figured this out. The persona tab is replacing the web-page. So,
to log in:

1\. open _two_ copies of the page

2\. click the "Sign In" button on both

3\. a working Persona sign in appears in the first tab

------
scrozier
"We're sorry, but your browser is not currently supported." \--Persona, from
Safari on iPad, iOS 7.

~~~
cheshire137
...What? That's just bizarre. I tried the Persona signup form just now on a
site and I had to enter my email address, pick a Google account, and it was
done. Pretty much like any other OAuth signup, so I don't see why Safari in
iOS wouldn't be supported.

~~~
scrozier
I had private mode enabled. Works with private mode disabled.

------
crayola
Persona is an elegant, powerful idea that is 100% in the users interest. I
dearly want to see it gain traction. Kudos for disseminating your enthusiasm.

~~~
dochtman
Here's a crazy simple way to implement Persona authentication for your Apache-
deployed apps/sites:

[https://github.com/mozilla/mod_authnz_persona](https://github.com/mozilla/mod_authnz_persona)

(I know Apache may not be that popular with the HN crowd anymore, but I don't
currently have the time to dive into nginx and do the same for it.
Nevertheless, if anyone wants to do that, I'd be happy to answer questions and
provide pointers into the Apache code.)

~~~
StavrosK
Oh wow, that's fantastic! I would love an nginx module that did this, although
wishes don't go far.

~~~
mixedbit
You may try
[https://github.com/wrr/wwwhisper](https://github.com/wrr/wwwhisper), although
unlike the apache module, wwwhisper runs as a separate service (Django) that
nginx communicates with using auth_request module.

~~~
StavrosK
Looks nice, thank you!

------
KaoruAoiShiho
I don't get why persona needs its own branding... Nobody knows what persona
is. It should say login with Firefox. Did fb create a new brand for its login
system? No it's just login with fb, same with literally every login service
except freaking persona. Use your most popular brand instead of forcing all
developers to evangelize a new brand. That's just not going to freaking work.

~~~
mixedbit
"login with your email" is IMO the most adequate wording

~~~
drdaeman
This may sound paradoxical, but Persona has nothing to do with actual email.
Well, except for Mozilla-provided fallback/compatibility authenticator that,
indeed, uses actual email.

It just a protocol that - oversimplifying things - allows a certain server
(identified by domain name) to issue you a certificate that says that you have
a name associated with that server.

It's usually an email, but can be anything that could be represented as (name,
domain) pair by concatenating those with "@" character. For example, XMPP ID,
forum nickname or system account.

~~~
stickfigure
That is true, however "login with your email" will be understood by The
Average Internet User. Any discourse on login identifiers, domains, xmpp,
certificates, et al will just scare them. That's a non-starter.

We use "login with your email".

------
af3
We don't know your password. Google doesn't know you're signing in to
Zonino... mozilla knows ;)

~~~
jimktrains2
As someone else pointed out, Mozilla won't have to know once the protocol is
more supported. Currently they're acting as a transitionary bridge, not a
required element.

Also, iirc, Google doesn't have to know where you're signing in either. I'll
have to double check that part.

~~~
StavrosK
The identity provider/bridge doesn't know either. They sign an assertion, so
they know that you want to log in _somewhere_ once, but not where or when.

------
lucasjans
> We think that Persona is a great attempt at improving usability, security
> and privacy...

We use Persona and love it. However, I wouldn't trust Persona for securing
sensitive information. There seems to be no password requirements (at least
when I checked months ago.)

~~~
StavrosK
That's incorrect, the identity provider is not specified by the protocol. Each
user can use whatever IdP they want, with arbitrary password requirements.

I built my own IdP that has 2-factor auth, for example:
[https://www.persowna.net/](https://www.persowna.net/)

~~~
lucasjans
It's possible to implement an identity provider, sure. But that doesn't change
the fact that there are no password requirements using Mozilla's default
provider. Poor default design.

Btw, your service sounds very nice for those interested in securing a domain,
but I was a little surprised by the pricing. Nearly as much as a Google Apps
license itself.

------
dsschnau
Sounds great. I need an e-mail provider that implements the protocol? Are
there any? How can I implement it on my self-hosted e-mail?

~~~
mintplant
Not necessarily. If the email provider doesn't implement the protocol, it will
send you an email to verify when you log in.

Thanks to Identity Bridging on the Mozilla Identity Provider, Persona can also
use the APIs of supported providers to verify your identity: it can verify a
Gmail address by connecting with your Google Account, and has something
similar for Yahoo! Mail as well.

~~~
dsschnau
Ah, I kind of understand... Thanks for your help :)

------
blueskin_
Yet another OpenID/OAuth/Whatever? Another SPOF.

Give me separate logins and KeePass any day.

~~~
dochtman
The protocol itself doesn't come with an SPOF. Only the transitional current
implementation, required for bootstrapping purposes, does require the
JavaScript shim hosted by Mozilla. In the future, at least Firefox itself (on
desktop, Android, and Firefox OS) will come with built-in support.

And, quite importantly, running your own identity provider (which is another
SPOF in many systems) is pretty straightforward and well-defined in the
Persona ecosystem.

~~~
jol
If Identity Provider goes down, it is a SPOF for the account, but the same is
with FB/Twitter login

~~~
icebraining
In Persona, the Identity Provider is not involved in each login, it just signs
a temporary certificate which can be re-used by the browser, so as long as the
downtime is under a few hours, the user shouldn't have much of a problem.

~~~
drdaeman
And if the Identity Provider's gone for a prolonged period now you've lost
your identity with (almost) no means of recovery. Mostly, because, while you
might believed the contrary, you didn't ever own your "own" identity in this
scheme.

That's exactly what SPOF is.

------
mikevm
What happens to my account if Persona dies or is temporarily down? Does that
mean that I'm locked out?

~~~
StavrosK
Nothing depends on Persona. For example, see
[https://persowna.net/](https://persowna.net/), which I wrote and which you
can use with your own domain for authentication. You can also install your own
ID provider on your site and not rely on any third party.

~~~
drdaeman
And if "your" domain is suspended, revoked or just expired?

You don't own a domain, you only temporarily lease it from a registrar. Just
like with the email account with an email provider.

~~~
StavrosK
Yep, and that doesn't stop us from relying on email for our identity.

~~~
drdaeman
I doubt if it's true. From my experience, email is usually used only as a
credential, not an identity.

Some cloud evangelists try really hard to change that, though.

------
jimktrains2
But, this doesn't solve the issue that you're still trusting someone else with
your secret (your password).

We need to move towards protocols like SRP[0] in general so that no matter
where I'm logging in, noöne has my password.

[0]:
[http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol](http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol)

EDIT: As ubernostrum points out, Persona is solving a different problem than
SRP does. However, one of the reasons different identities (username/password
combinations) are encouraged currently is because providers can't be trusted
with the secret of your password.

~~~
ubernostrum
_this doesn 't solve the issue that you're still trusting someone else with
your secret (your password)_

If you run your own identity provider, you are only trusting yourself with
your secret.

Also, nothing about Persona _requires_ password-based authentication -- you
can use any mechanism you like to authenticate to your identity provider.

~~~
darklajid
The problem I have with that is that I haven't found decent identity providers
last time I checked.

Without some decent/proven implementations I'm hesitant to use it. I don't
quite like using Mozilla's service (mostly not because of trust, it just feels
half-assed not to go the extra mile and is considered an intermediate
workaround/solution even by Mozilla, as far as I know). Without decent options
to self host I guess I could implement it myself - but that's a big step.

So .. although I'm a fan of the concept, I'm still not using Persona anywhere.

~~~
dochtman
Have a look at mine:

[https://bitbucket.org/djc/persona-totp](https://bitbucket.org/djc/persona-
totp)

It's less than 150 LOC of Python code (plus some HTML templates and a few
basic tests).

~~~
darklajid
Will do, thanks a lot. Since my infrastructure box is mostly python based
(radicale, for example) this might fit in nicely.

------
lotsofcows
So what happens when my Person account gets compromised?

I'll stick to my many accounts / many passwords approach, I think.

~~~
kn8
Use 2 factor auth to mitigate that? To me that seems safer than having 100s of
different accounts with no support for 2 auth.

~~~
lotsofcows
2FA is a nice add one but not a panacea.

Any account will be compromised - it's only a matter of time. When that
happens, it's best (as recent articles in Wired, Ars Technica and others
demonstrate) to have a broad account "ecosystem".

~~~
kn8
Hm, interesting. I see your point.

What about Facebook/Google/Twitter Sign In buttons - do you think Persona is
an improvement over those?

~~~
jol
technically - yes, it frees me from being part of (google/fb/twitter...
whatever network is trendy now) and still sign in, practically,at the present
moment, no - only geeks know about it

Edit/update: if compromised, you loose all linked accounts, however, with
google/fb/.... it is the same, but this is less leaky to 3rd party, if this
comes as default login, then we would have only a dozen of logins
(persona/email, + important accounts, e.g. banking something similar... ), not
~100 of them, thus resetting 100 passwords is just 1 action

------
lazyjones
This doesn't work with JS disabled, with no indication that it doesn't work as
intended (it just bounces the visitor back and forth between 2 pages).

Persona is very convenient for users, but it would be more secure to not trust
a 3rd party.

~~~
pdpi
My understanding of the technology is that the endgame for persona is that you
don't have to trust a third party. Instead, the authentication will be
provided by the browser itself (the protocol behind Persona is called Browser
ID). The current implementation is just a shim until browsers provide support
for it natively.

~~~
StavrosK
The authentication will actually be provided by your identity provider (which
will usually, but not necessarily, be your email provider).

~~~
pdpi
Did they give up on the in-browser stuff? Or did I just get the plan
completely wrong then?

~~~
StavrosK
If I recall correctly, the in-browser stuff is just a UI for selecting your
email address and contacting your identity provider.

~~~
riquito
I wouln't say "just". It solves an important problem, the fact that the site
you are logging in could have a javascript keylogger to read the password you
are going to enter.

~~~
StavrosK
Oh, certainly, I meant "just" as in "just the client-side part of the
protocol".

------
drew
In principle, Persona is great. Not storing passwords is awesome, a non-
FB/Google/Twitter identity option is important.

I would encourage you, though, to look carefully at your login completion
metrics. I implemented Persona on my site
([http://www.sixquestions.co](http://www.sixquestions.co)) to have a pure
email option and although users clearly prefer it, about 35% complete the
Persona login flow successfully. That's 10 points lower than our next-worst
performer (Twitter), and half the rate of our best performer (Facebook). For
all the concerns people have with authorizing Facebook/Twitter access, that is
(in my view) offset by the alien-ness of Persona's login flow. We've heard
from lots of users that logging in with Persona is unusual and they thought
they were doing something wrong because they'd never seen anything like that.

So, as much as I believe in Persona, I'm about to deploy a change that removes
it entirely. It adds a lot of surface area to our testing and future
development, but if it means we lose fewer users in their signup flow, it will
be worth it.

~~~
rebelde
Here's an example: I just failed to login to Zonino myself.

I enter in the Gmail address that I use for registrations and other junk. I
get the message: "Accounts don't match. You are currently signed into Google
as [my normal Gmail address]. ... Force Google logout?" Forget that. I'm not
interested in logging out of Gmail. Logging out of #1, into #2, out of #2 and
back into #1 is more work that simple registration. I expect that I'm not the
only person with this problem. I hope a solution can be found, because it
would be really helpful.

~~~
callahad
Gah. We still need to switch from OpenID to OAuth for our GMail bridge; OpenID
doesn't allow us to tell Google what address we're trying to authenticate.
Sorry!

~~~
StavrosK
Need any help with that/is there a ticket?

~~~
timmclean
I found this: [https://github.com/mozilla/persona-gmail-
bridge/pull/114](https://github.com/mozilla/persona-gmail-bridge/pull/114)

