Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Mozilla Persona Post-Mortem
79 points by pc2g4d on Jan 18, 2018 | hide | past | favorite | 14 comments
As far as I can tell, the demise of Mozilla Persona has left a vacuum in terms of user-controlled identity solutions. Why did Persona fail? What else is happening in this area? What's coming up on the horizon?



Portier (formerly Let's Auth) was set up by a bunch of people interested in decentralised identity solutions after Persona was killed, as a sort of spiritual successor: https://portier.github.io/


I recently implemented Portier in a porject. I haven't come across a nicer login system. It's dead simple and a joy to use. I hope it'll become more popular!


Worth noting that Portier is sponsored in part by Mozilla. IIRC some of the people originally responsible for Persona are also involved with Portier.


The after action report (AAR) can be found at https://wiki.mozilla.org/Identity/Persona_AAR


The main purpose of Persona was cross-site login, and it seems like there's a million options for that: Google, Facebook, Twitter, Reddit, Steam, etc etc etc. Broadly speaking, you can support a lot of these platforms all at once with OpenID (don't know too much about OpenID though; not sure how prevalent support is).

I think Persona failed because it simply wasn't the easiest option for the end-user. When given the choice to create an account on Persona, or sign in with the social media account they already have, most people will follow the principle of least effort and use their existing social account.


The original Persona proposal had the concept of browser-based identity. Your browser would provide secure authentication, and then Firefox Sync would let you bring the authentication credentials with you to other systems. You'd just click "sign in" on a site (or in the browser UI) and your browser would sign you in, with no other interaction required.

However, outside of a prototype addon, that approach never materialized. And without that, Persona didn't have a compelling use case except for people who didn't want to trust signing in via Facebook or Google or Twitter.

We're finally starting to see standards proposals that address this, and allow signing in via cryptographic authentication built into your browser. I hope to see those make OAuth obsolete for any use case other than API access to an account (e.g. "allow this site to integrate with Github").


Also, Persona was interesting for being one of the few actually user-friendly and usable deployments of public-key cryptography ever to exist.


> We're finally starting to see standards proposals that address this, and allow signing in via cryptographic

could you point us at these - would've very interested as thelack of PKI in the world does bother me


https://www.w3.org/TR/webauthn/

Disclaimer: I have not reviewed this spec in detail yet, and my confidence in the W3C is not high.


Firefox 60 will ship the WebAuthn API. Here's a Mozilla blog post with examples of how to use WebAuthn and FIDO U2F devices:

https://hacks.mozilla.org/2018/01/using-hardware-token-based...


Will it work with a key stored in the "software security device", rather than a hardware token?

For that matter, the description shown on that page suggests that it supports using the key on the hardware token as the only authentication factor. That seems dangerous. Unlike a key stored on an encrypted disk, a U2F key typically works for anyone who steals it. Firefox needs to use that key together with another key stored in the browser, or otherwise ensure that someone who steals the U2F key does not gain access to every account secured with WebAuthn.


Yes, I think Firefox will support U2F "soft tokens". Code for a U2FSoftTokenManager was added in Firefox bug 1323339.

https://bugzilla.mozilla.org/show_bug.cgi?id=1323339


Wonder if we'll see password managers starting to support this, in some kind of agreed-upon standard.


There was a post here by the head of the team about 4 years ago going over his thoughts on the matter https://news.ycombinator.com/item?id=7364465

and as someone else mentioned the After Action Report summarized the bullet points well: https://wiki.mozilla.org/Identity/Persona_AAR




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: