As far as I can tell, the demise of Mozilla Persona has left a vacuum in terms of user-controlled identity solutions. Why did Persona fail? What else is happening in this area? What's coming up on the horizon?
Portier (formerly Let's Auth) was set up by a bunch of people interested in decentralised identity solutions after Persona was killed, as a sort of spiritual successor: https://portier.github.io/
I recently implemented Portier in a porject. I haven't come across a nicer login system. It's dead simple and a joy to use. I hope it'll become more popular!
The main purpose of Persona was cross-site login, and it seems like there's a million options for that: Google, Facebook, Twitter, Reddit, Steam, etc etc etc. Broadly speaking, you can support a lot of these platforms all at once with OpenID (don't know too much about OpenID though; not sure how prevalent support is).
I think Persona failed because it simply wasn't the easiest option for the end-user. When given the choice to create an account on Persona, or sign in with the social media account they already have, most people will follow the principle of least effort and use their existing social account.
The original Persona proposal had the concept of browser-based identity. Your browser would provide secure authentication, and then Firefox Sync would let you bring the authentication credentials with you to other systems. You'd just click "sign in" on a site (or in the browser UI) and your browser would sign you in, with no other interaction required.
However, outside of a prototype addon, that approach never materialized. And without that, Persona didn't have a compelling use case except for people who didn't want to trust signing in via Facebook or Google or Twitter.
We're finally starting to see standards proposals that address this, and allow signing in via cryptographic authentication built into your browser. I hope to see those make OAuth obsolete for any use case other than API access to an account (e.g. "allow this site to integrate with Github").
Will it work with a key stored in the "software security device", rather than a hardware token?
For that matter, the description shown on that page suggests that it supports using the key on the hardware token as the only authentication factor. That seems dangerous. Unlike a key stored on an encrypted disk, a U2F key typically works for anyone who steals it. Firefox needs to use that key together with another key stored in the browser, or otherwise ensure that someone who steals the U2F key does not gain access to every account secured with WebAuthn.
