Hacker News new | past | comments | ask | show | jobs | submit login
Announcing the First Beta Release of Persona (identity.mozilla.com)
474 points by callahad on Sept 27, 2012 | hide | past | web | favorite | 187 comments

I just tried it on the Times Crossword page. The workflow is really simple and elegant. I put in my email address. It took a second to determine there was no Persona account, then asked for me to create a password. After that, I clicked on an authorization link in my email account and as soon as I did that it immediately logged me in. I clicked Log out and back in again and it immediately recognized me and logged me in.

This is really what I was hoping to see with OpenID when it came out, but the process to set up an account and get started is much more cumbersome.

I look forward to seeing native support for Persona in browsers.

It does seem a pretty elegant way to log in, the only concern i have is that it's kind of unclear what password i needed to use to login. I had already created a browserID password at some point in the past, so when i went to the times crossword and clicked sign in, i was prompted for a password. my first thought was maybe i had already signed up for the times crossword, so i tried the password i probably would have used to sign up for a site like that. nope, but it said "authenticating with your email provider". So then i tried my email password, thinking maybe it was integrating with my google account. nope. Third try was the password i had used to sign up for persona.

Maybe in the future, if this sees wide adoption, they can get away with just putting some mozilla branding in the corner, but for now there should really be some explanatory text on the login window telling you that you need to enter the password you created for mozilla persona, or this is just going to confuse users.

They've already stated that you'll be able to put your site logo and name into the login box [1].

As far as the password, I thought it was pretty clear that the password they are asking for is your Persona password, but maybe that's because I had just signed up.

The point is that you'll only ever need one password, so it'll be great to be able to have one strong password rather than tens of weaker ones.

[1] http://identity.mozilla.com/post/32395255498/announcing-the-...

>The point is that you'll only ever need one password

this will never be true. You'll only ever need one password for mozilla persona. The user expectation will still be one password per site, and allowing sites to brand the box will only make things even more confusing. It needs a stronger mozilla branding, not a stronger client branding.

> this will never be true

Primary IdPs host the log in page, not Mozilla...

Say Google implements BrowserID for Gmail.

The user will see the same Gmail Auth log in screen they have seen many times before. They only have to remember their gmail password (and any password manager works like it always has on this form).

Most likely if your provider is webmail, then you'll already have an active session... so you won't have to type a password in.

Yes... assuming that every site on the internet implements this system. which will never happen.

Every new site will, every site under active development will. The ones where two input boxes have been the same off grey colour for three years won't change much agreed. It's just a question of whether the sites that ask for username/password now are numerically the majority of login sites in three years or not?

I give stackoverflow three days.

Thanks, that's really good feedback.

I've pasted your comments into a bug report: https://github.com/mozilla/browserid/issues/2539

Feel free to jump in if you have ideas on how we can phrase this better.

After reading the text twice and watching both videos i still have no clue what it actually does and how it solves the problem. I'm a few pages of skimming into the documentation now but there's no overview of what it actually does in the background.

Just a load of buzzwords and awesomeness!1 of how this will revolutionize my account management and how easy the API is.

Is it a password manager, a biometric system or some kind of account provider?

It's decentralized public-key based authentication, wrapped up in an extremely user- and dev-friendly package. Francois Marier did a good job of explaining it at Kiwi PyCon 2012: https://www.youtube.com/watch?v=iZBTc7iEkQY

(Think OpenID, but easier to use, easier to implement, and with better privacy protection.)

In brief: instead of a username and password at login, you get a user's email address and cryptographically signed assertion proving their ownership of that address. The assertions are ephemeral and scoped to your site, so once you verify it, you can set a session cookie and throw away the assertion. No more password column in your database, yet you still retain a direct relationship with your users.

Here's the underlying spec (working on getting it updated for Beta 1, but the principles are all there) https://github.com/mozilla/id-specs/blob/prod/browserid/inde...

Congratulations on this and thank you. The links are useful and I recommend the video-I got a proof of concept onto our staging servers whilst listening to the video - fantastic.

Can I suggest a clearer explanation in the quick start guide of loggedInEmail and it's options and that there is a comparison of the name supplied from the site and name inside the browser - it is a bit confusing to see onlogin get called without a button being pressed. I would suggest walking a dev through what to expect - the code examples are great but the quick start is written by someone who understands what's going on behind the scenes - there is a sentence About currentusr that completely floored me - I could not understand how I was supposed to know bob was logged in if that was the first time he arrived at the site. In the end I gave up and read the docs !

Edit - needed bigger text box on ipad

>No more password column in your database...

Who has liability when a user of mine says their account got hacked? The email provider? My site? Mozilla?

If one of my users has $100 go missing from their account, then they are going to expect me to replace it, not the email provider, not mozilla. I don't like the idea of shifting security to a outside platform, because I still retain all the liability when things go bad, and they always will (key loggers, spyware...)

Sites that deal with financial transactions will be reluctant to adopt this for sure.

Sites that deal with financial transactions are almost always 5-10 years behind on the adoption curve; of course they will be reluctant to use Persona. And that's not unreasonable.

How can any website protect a user against key loggers, spyware or any other form of a compromised client machine? If the client machine is compromised, any login method is broken.

As mentioned above, two factor authentication.

Not really. All 2 factor authentication schemes that I've seen give no protection against a compromised client machine.

In theory you could probably device a scheme that would require the use of two independent devices to perform any sensitive action and that would guarantee that if only one of the devices is compromised, the attacker would have no way to perform any action in a name of the user. But I'm afraid any such scheme would be a complete failure from a usability perspective.

When the second factor is a "rich" device, such as a smart phone, attaching transaction information to the interaction would be a trivial - instead of texting "The code is 1234", text "Transfer $100 to account 9876" or "Login attempt from IP, FooCom Inc, Springfield, Oregon, USA.", followed by "If correct, enter code 1234. If not, DO NOT enter the code and contact us at .. "

For financial items you could use two factor authentication. Or if your service has something that can be done with a lower set of privileges you could use persona there and fall back to "more secure" methods for anything with financial effects or account changes.

The use case seems to be more for sites like twitter, hacker news, reddit, etc...

The original name, "Browser ID", made it clearer.

Basically, your browser knows your identity, so it can automatically authenticate you with any supporting website. You never have to set up an account with the website and you never have to enter a password.

That's my understanding of it anyway.

in 5 years many people using the web will have no idea what you're talking about when you say "browser" :)

I think the majority of people have no idea what a browser is and never have.

It's quite clever, essentially it's a system where your email address is your unique identifier, and you authenticate by clicking on a link sent to your email account.

The developer reference has much more information: https://developer.mozilla.org/en-US/docs/persona

Isn't this basically the same as OpenID?

My understanding is that it is designed to be a distributed variation to oAuth where you authenticate against an email address instead of a specific social account.

It's like PKIX but with JSON.

Have been messing around with BrowserID since it first went public last year (with a node.js backend) and I love it. Its so much more straightforward to implement than oauth and openid, and the fact that it's tied to your email address is perfect. I'm definitely going to be using it as my primary auth system going forward. Great job Mozilla!

Do you have examples of sites that don't use Persona as the BrowserID implementation? I'd like to see how sites are handling the user prompt when there are going to be alternative providers to Mozilla's Persona service.

Doesn't work that way; Mozilla's Persona service just serves as a shim for browsers without native support for BrowserID. On browsers with native support, Mozilla's server won't get involved at all.

No since what I do is pretty experimental side projects and fine to just use the persona end of things. Also I don't currently have anything public running right now myself (as it just entered beta so I won't release until v1.0).

If you haven't tried it out yet I encourage you to do so...it only took me 30 minutes to get up and running the first time around.

My major concern with this, beside the eggs-in-one-basket issue, is that this places even more value on my email account.

Years ago, my email account was simply used for exchanging short pieces of text with acquaintances and companies. Now it's the central key to all my authentication sessions and finances, and therefore presents a huge target for attackers.

I've been looking for ways to reduce the risk associated with losing access to my email account, should that ever happen. Yet for all its benefits, Persona still places yet more importance on protecting my single email password.

You could say the same about any traditional username/password signup that sends a confirmation email and allows you to reply to an email to reset your password. Ultimately, that's just relying on the security of your email, too. So while you are correct that Persona doesn't solve that problem, it doesn't make that problem any worse compared to the default option of an email-confirmed username and password.

I think that's what the parent post was getting at. Originally email was just used for exchanging messages, now that most sites use it to authenticate a user there is a much higher cost to losing access/having it hacked.

Considering that it's a new protocol, why not try to solve that old problem? At the very least, they could allow you to disable email-based password reset in favor of printed code. That would be a smart thing to do.

You would get a random code or several codes you print out and put into a safe place. If you ever forgot your password, you would dig it our and supply to the website to trigger a reset (which could include or not include email-based verification). The codes would only be usable for passwords resets.

Google's 2 factor auth does this already.

Yes, most authenticated web services offer a "forgot password" option, and their security is thus tied to your email account. However, each one of these decentralized services on its own is not as valuable as the entire ecosystem of Persona-enabled sites will be.

That is, the Persona "forgot password" is a single point of failure which, if compromised, can provide access to a whole ecosystem of sites. And it will be tied to your email account.

I'm still not seeing a distinction. Your email account is already a single point of failure for every account registered with that email that has a "forgot password" feature.

Maybe it would help if we considered two hypothetical scenarios. A: Your email is compromised, and you're registered on 15 websites with that email, each of which has a "forgot password" option. B: Your email is compromised, and you've used Persona to sign into 15 websites. In what concrete, practical way is B a more damaging situation than A?

Great point! And the recovery process is much easier in the Persona case... because you only have to fight to get back your Persona account. Today you'll have to

1) Fight to get your email account back

2) Visit each and every site and manually recover your account

I think the ship has mostly sailed on email -- most sites use email password recovery, so that choice isn't up to you unless you get a different email address for each site.

You should definitely use 2-factor authentication for your email!

> I think the ship has mostly sailed on email

You're right. Gmail does an excellent job with ensuring account integrity. I've lost and subsequently recovered access to Gmail accounts, and I must say they do it right. And like you said, I especially appreciate their two-factor auth.

I hope lay people are coming to realize the security importance of their email accounts.

Persona, the protocol, doesn't actually rely on your email account's password. It uses the domain from your email account to figure out how to authenticate you; if you want to use some other way than via your email, that's fine.

That's correct. However, the security of any Persona-enabled site is tied to your email account's security through Persona "forgot password".

This is my concern; a compromised email account means a compromise of your account on every Persona-enabled site.

> … through Persona "forgot password".

That’s just how their fallback provider works. BrowserID — the protocol — does not rely on email in any way. There’s no guarantee that if you have valid assertion for joe@dns.tld there’s also an email account by that name.

The password that I create when I setup persona is for what exactly? It doesn't seem to be used at all after the creation a persona.

If you log out, that's the password you'll use to log in again. The login session is good for a while so you can continue to login with already-authenticated identities (and you can have as many as you want) on persona-enabled sites.

Thanks for clarifying. I was assuming that was the case but the login/creation page needs to have a graphic or a narrative talking about what it does and how the process works a bit more before it reaches a more public audience. As a software developer I had an idea of how the thing worked but it wasn't spelled out enough. I understand that it's beta but the whole thing is weakly documented from a user's standpoint as to why it should be trusted.

People simply need to be very very careful about protecting their email account. Use two factor authentication, use a PIN on your smartphone, don't type your email address password on random internet cafe computers, etc.

No. Websites should stop outsourcing their security to third parties they know nothing about (such as email providers). It's not just a matter of immediate security, but overall architecture quality as well. Having your entire digital life depend on an account that, for most people, is hosted by a third party, for free and without any guarantees is dumb. Email simply wasn't mean for that kind of use.

This seems to be a nice solution if you are on your own home/work computer and have your email open. They didn't really explain much on HOW it works but the problem I'm seeing is that if I am at a public computer and want to login I have to log in to my email account first and click on the persona link. I guess the benefit here is that I only need to remember 1 password (my email address password) but my email password is usually a 50 character random string that I don't like entering on public computers if I even could.

So if I want to log in to a crossword puzzle I almost feel like I have to compromise my email password which is much more valuable, if say the public computer has a key logger or something.

Maybe I'm over thinking. I could see how this would be useful if I have my desktop mail client running and just click a link to log in though.

You can have a provider that requires no auth. Try entering whatever@mockmyid.com as an address.

That's what two-factor auth is for.

That's not really how it works. You verify your email address once, and after that you can just log in with your address and password. You don't have to click on an email link every single time you log in.

Then you would not use your primary "super secure" email as your browserId, but a secondary mail account.

The most valuable thing about your email account is that it's your password recovery mechanism. What ever email account you use for password recovery or logging into things becomes the "super secure" email account.

There is no message in my email that I care more about than the one that might give you access to my bank accounts.

> There is no message in my email that I care more about than the one that might give you access to my bank accounts.

This is very well phrased. Email sort of serves two purposes these days, each with very different security models: text-based communication, and external service authentication. Do you have any ideas for separating these two functions, or at least improving their security?

Not really. The main thing that has been happening over time is that more and more low-security messages are being drawn away from email (Twitter, FaceBook, SMS). I used to get email forwards from friends/family -- now they post to FB. I never get a pic emailed to me any more. So, the trend to separate out low-security messages has been happening -- perhaps trending towards leaving email as only a password recovery mechanism.

Or maybe not even that -- I use 2-factor for Google and FB -- where SMS is in the mix -- SMS could even be the recovery mechanism, moving even those messages out.

Passwords are not the only authentication option. This could be a good way to replace all your passwords with something stronger (2 way, fingerprints, you name it) if your provider supports them.

Let me add my understanding. Please correct me if it is wrong.

Actual user case if everything is in place:

1. you are in a website using browserid protocol/persona (eg. http://crossword.thetimes.co.uk/)

2.hit the login link. Give your email address (superuser123@gmail.com or superuser123@yahoo.com)

3.it prompts for your password - gmail password or yahoo password

4.post authentication it takes you to the website with user session as superuser123@gmail.com/superuser123@yahoo.com - eg crossword.thetimes.co.uk

5.In a nutshell, end user doesn't need to create a new userid & password for using the website, as long as he knows his emailuserd/emailpassword

Present use case - since few things are missing

1. you are in a website using browserid protocol/persona (eg. http://crossword.thetimes.co.uk/)

2.hit the login link. since gmail & yahoo as email providers not implemented browserid/persona protocol, you will asked to create an account in persona.org with any of your existing email address.(gmail / yahoo).

persona.org will send you a verification link to check if you really own your email address. Click on the verification link and you are verified to use persona.org account in all the places where browserid is supported

3.in the login page - it prompts for a new password if you are a new user or existing password if you are a returning user - this is the password for the email address used in persona.org registration.

4.post authentication it takes you to the website with user session as superuser123@gmail.com/superuser123@yahoo.com - eg crossword.thetimes.co.uk

5.In a nutshell, two things will change in future - no login window from persona.org & no need to create account in persona.org

That's completely spot on. Right now, if your email provider doesn't have native support, we ask you to create a persona.org account so that Mozilla can vouch for you. In the future, this goes away.

Similarly, the UI is all displayed in response to navigator.id.* functions. If a browser implements those natively, the Persona UI at login.persona.org completely goes away.

The more successful Persona is, the less Mozilla is involved in the login process. :)

So if i signup now with my @gmail account through persona.org, what happens when google starts supporting browserid natively?

Then you'll start seeing an authentication page hosted by Google, instead of the Persona fallback. Native options are always tried first, both for client-side navigator.id functions, and for server-side authentication. If one of those is missing, then login.persona.org fills in for that component.

The BrowserID protocol states that Google should be used for authentication, instead of the fallback persona.org account.

> 3.it prompts for your password - gmail password or yahoo password

Yes. In this case the "it" that prompts for your password will be an iframe served from gmail/yahoo. Once they support Persona natively, login.persona.org is no longer in the loop and your gmail/yahoo password goes directly to gmail/yahoo.

Having the (say) GMail in an iframe sounds worrying. It's not clear immediately that the embedded page came from GMail, as we cannot see the https scheme in the URL for the iframe - much less any indication that the certificate is trusted etc. This provides an attacker with the possibility to create a fake GMail login page

Why not redirect to GMail (openid-style) with a callback (or failing that, use a pop-up)?

You're talking about a phishing attack and it's actually worse for OpenID http://identity.mozilla.com/post/7669886219/how-browserid-di... Once Persona is integrated into browsers it will offer better security. BTW, the iframe is always in a pop-up for this exact reason. It's never an iframe within the context of the website that initiated the login.

I personally feel the pain point of password/identity management across different websites, and I'm using LastPass to help. While LastPass's browser integration is great, its UX is... lacking. Mozilla's strategy to associate Firefox browser with identity is IMO awesome and the first sign that it's pioneering vs reacting to Chrome (before this news, I've always viewed Firefox as Chrome's successful but still little brother in terms of features, polish, performance, support, etc.).

BUT (and this is a big "but" I feel), this is contingent with their execution of browser integration. W/O rock solid browser integration with fluid UX, this would just add noise to identity services and cause more consumer confusion.

Ultimately, I'm rooting them on because a) I'm concerned about my security and b) I have too many passwords and c) I'm hella lazy.

Can you be more specific as to how you find the UX lacking?

Getting UX right is a priority for Persona.

I was referring to LastPass's Chrome extension specifically, not Persona's UX. Sorry for the confusion.

Can you be more specific as to how you find the LastPass UX lacking? Getting UX right is a priority for LastPass too!

Another LastPass user here. The two big obvious ones:

- Completely non-standard menu behaviour and appearance - I to this day can not associate the shortcut icons for copy/edit etc. with the password. Maybe that's just m.. - The one single function I use the most often is "generate password", and it's hidden one menu down from the root. - The second most frequently used function for me is to view the password, when I need to enter it somewhere where I haven't got Lastpass installed (on another device, so copy/past isn't sufficient), yet that requires me to click on the site, "edit" and "show password".

Persona doesn't require any browser integration. It works in all browsers that implement local storage. So it works via modern Javascript.

I'm sure Firefox will release a Firefox plugin that will complement the basic service of identification. Imagine a plugin that lists all the websites you can authenticate with Persona. Or what if you had multiple personas, the firefox plugin can help you manage the selection of personas. Eventually, it'd become baked into Firefox, giving users that sense of it fundamentally "safer" than other browsers. Sure, this is all speculation, but it's a good marketing strategy on Mozilla's end and the start of gaining back the average consumer market share.

Hi, John, you have some cool ideas there! Hope to see you hacking on Persona. As a member of the team, I just want to clarify that this is not an effort to make firefox alone more secure; it's an effort to make the web more secure. Any browser vendor can implement the protocol, natively or in a plugin, and we hope other browsers will. Same for identity providers. The spec and code are all open-source: https://github.com/mozilla/browserid So Mozilla's strategy remains the same: Put the users of the internet first. That's why we made this.

It's great that Mozilla has made Persona open for everyone to develop with. While I still believe that Firefox has a lot to gain with Persona, I also agree with your vision that this is a good step towards a safer web (only time will tell if this takes off). I'll take it a step further and argue that if Firefox lead the charge with Persona tightly integrated, it'll make the web even SAFER for the average user, because it will force other browsers to tackle the issue of security as well, benefiting all users regardless of browser platform.

Are there any websites with implementations that don't prompt directly for Mozilla's site(i.e. asking for your preferred BrowserID provider)? I'd like to see how clunky the interface becomes when there are more providers(such as if I want to become my own provider) than just Mozilla. Is the user then confused by asking for a provider..ala OpenID? Am I correct in presuming Persona is an implementation of BrowserID?

I'm not likely to use this myself as this little gem from Mozilla's privacy policy (https://login.persona.org/privacy) gives me the shivers: "As part of the normal operation of the Persona service, Mozilla will retain a log of which sites you have disclosed your email to."

> Are there any websites with implementations that don't prompt directly for Mozilla's site

That's the OpenID model. BrowserID works somewhat differently. Your ID is an email address, so your provider is that email's domain. Because few domains support it directly yet, Mozilla operates an optional, centralized authority that can issue credentials to other users. But you don't have to use that if you add support on your own domain.

After that, the UI is also provided by Mozilla's cross-browser JS shim, but it's just a polyfill for `navigator.id.`. If your browser has native support for those methods (Firefox will, soon), then Mozilla's UI is completely uninvolved.

Basically, we're starting with a single, optional point of centralization: login.persona.org. As native support comes online from various domains and browsers, our central fallback will automatically drop out of the picture.

> Am I correct in presuming Persona is an implementation of BrowserID?*

Yep! BrowserID is the protocol, Persona is Mozilla's cross-browser UI and optional centralized services. It's kind of like how Google Login is really OpenID/OAuth under the hood, but more meta.

> "As part of the normal operation of the Persona service, Mozilla will retain a log of which sites you have disclosed your email to."

Yeah, that line sounds super bad. IIRC, it's a relic of a previous design of the cross-browser shim that needs to be removed. I'll follow up with Mozilla's legal folks.

Are there any browsers that currently implement BrowserID? I just fired up Firefox 15 and still get the pop-up for login.persona. Or links to near future impementations?

Thanks for you and otzen for shedding light on all of this.

I believe Firefox OS will have the first enabled-by-default, user-visible implementation around Q1 next year. Bits are starting to land in Firefox, but they're super, super experimental and not totally functional yet.

Mozilla has a prototype addon that implements it.

Can I cname my own domain to a provider or something similar?

Yep! You can delegate to another Identity Provider (IdP) by adding a JSON file to your domain (we're looking into DNS-based ways of doing the same), but afaik, there aren't any publicly available IdPs that accept delegation yet. Ozten is working on one.

Also, we still haven't completely shored up the IdP-facing API (there are a few rough edges to fix before committing to it), so the specifics are still subject to change. https://mockmyid.com/ and https://eyedee.me/ are both open source, example IdPs that we're using for testing.

We'll also be looking into DNS-based delegation for the next beta: https://github.com/mozilla/browserid/issues/1523

Go to https://eyedee.me and create an DASD account

Go to http://crossword.thetimes.co.uk/ - this is a non-Mozilla RP

Enter DASD@eyedee.com - This is a Primary Identity provider, source at [1]

So you see there is no BrowserID provider choosing screen, it's naturally part of the flow. you enter DASD@eyedee.com and the system checks for support and delegates to eyedee.com.

[1] https://github.com/mozilla/eyedee.me

Thanks for posting the process flow. So (https://login.persona.org/sign_in) will always be shown? If so, then how is this truly decentralized with my privacy concerns mentioned above?

If you had a browser, say Opera, with native support for the BrowserID protocol, then you would not see login.persona.org. No requests would be made to a Mozilla server.

login.persona.org is two things:

1) A JavaScript shim for cross platform support (Opera + BrowserID support would avoid this)

2) A Fallback Identity provider (eyedee.me avoids this)

And with your explanation, all becomes clear. Thanks for that and now I can understand how slick this should become.

Realistically though the fallback will need to be kept around for a long time.

Got it spliced into the site i am working on, checked in to github, and my laptop crashes. Karma oh karma.

This looks great, I got an identity service plugged in in hours, into a OSS website and this will kick openids bottom.

Brilliant - Mozilla is hitting some incredible high notes right now

I'm seriously digging the positive, participation and hacking vibe in these comments!

The web and OSS is so amazing.

One reason this looks good to me is that I trust Mozilla more than most organizations.

I don't trust any "organization" to store and manage my passwords. A single subpoena to mozilla for a divorce proceeding or whatever could unleash cascading consequences upon you.

It's not really a "password manager", it uses signed assertions instead of plaintext passwords. It is similar to client certificates, but with a much better UI.

Plus, your keys are stored in the browser, according to callahad, so Mozilla doesn't have to know where you signed up: http://news.ycombinator.com/item?id=4232774

Also, in the future you probably won't even need to contact Mozilla anywhere in the process: your browser will store your certificates for you, natively.

The system is designed to allow your email provider or another Identity Provider that you trust, to store your password instead of Mozilla.

Your identity provider just has to implement the BrowserID protocol https://developer.mozilla.org/en-US/docs/Persona/Identity_Pr...

So what happens if my email account gets hacked? Won't this compromise all my accounts then?

This problem exists today. I can do "forgot my password" on many sites and owning your email account can change the passwords and log in to them.

Persona doesn't attempt to solve this existing problem.

Thank goodness Persona isn't a password manager then.

Why? Genuine question, do you think their security will be better?

The low level protocol - BrowserID - is a federated system, so the "they" in your question can be someone you trust (and Mozilla isn't hardcoded)

You can use any browser and if it has native support, it will do the client side crypto. It will store your public/private keys in the client.

You can use any Identity provider (email provider probably) and if they have native support, they will store you password and do 2 factor auth or whatever.

This removes websites (relaying parties) from the password storage business. All they get is an email address and a way to cryptographically check to see that you owned it.

The crypto that powers the BrowserID protocol is an open standard, so you can vet it. It's been designed by crypto experts in an open forum.

One more correction. The identity/e-mail provider does not store your password, it merely signs your key for which it can use whatever authentication it wishes. Most probably the same user-id/password combo you use to read your mail, but the BrowserID does not dictate that, it is up to the provider to decide.

After that the identity provider just gets requests from services that do not know its public key yet, but typically it is asked only once per service as the key is stored in a local cache. And even when the key is asked, the provider cannot know for which email verification address it is needed.

All in all I think this is a great system. It puts a lot of trust in the e-mail provider, but I think that's all right as the provider already has full control of your personal e-mail anyway and hence is trusted by default.

Ideologically? Yes. Technically? Not so much.

I'm hoping that a large email provider (like gmail) will support this soon.

Getting providers onboard with this will be the make or break factor. And I'd really like it to succeed.

I really want to believe in something like this, however you'd getting much better traction by explaining a few key details:

* What the hell does the JS assertion object look like?

* How do I run an independent service?

* In a single page, walk me through the steps to integrate?

Videos, dodgy music, overenthusiastic PFYs appeal to me much less than good documentation

> What the hell does the JS assertion object look like?

Needs to be updated a little bit, but check out the spec: https://github.com/mozilla/id-specs/blob/prod/browserid/inde...

Note: You don't have to implement this yourself! You can POST assertions to https://verifier.login.persona.org/verify instead, and we'll return a JSON blob that lets you know if it was valid or not. Or you could run that same verifier locally (it's a stateless node.js server, code's on github in the mozilla/browserid repo). The exact data formats are still in flux (waiting / hoping for IETF standardization around some crypto things), so we don't recommend doing verification yourself just yet, unless you run our node.js verifier and frequently update it. We'll get that stuff locked down in one of the next Beta releases.

> How do I run an independent service?


> In a single page, walk me through the steps to integrate?


Huh :) I went in circles on the MDN site for a few minutes.

Support for Persona in HN would be awesome...

...and assuming it's written in Python (is it?), it should be pretty easy to do: https://github.com/mozilla/browserid-cookbook/blob/master/py...

Awesome work by Mozilla. I've added this to a small project of mine, and it was super simple and fast to do. I really excited to see this gain traction.

This is just great. I do hope this replaces Facebook connect as authentication provider, though I doubt it since getting all that user info is priceless for most sites using Facebook connect.

It looks very lovely.

I don't think it'll replace Facebook, it'll just be an alternative to it. We've integrated both Persona and Facebook into our site and it works great.

For my business, we need more personal details about each person that we get by default with Facebook (name/age/sex). So, that integration will always be cleaner than Persona because it is just a few clicks.

We've been working with BID/Persona for a while now (we're linked from the /about page) and we're huge fans. If you want to play around with it... https://www.voo.st/

I've seen some preliminary discussions of linking personal information to a Persona and optionally supplying it to the site at login time. If you have a need for that, you should chat with the Persona/BrowserID developers.

It wouldn't be ideal because there would only be a limited number of people who ever took advantage of it. The model for Persona is different than Facebook. Facebook requires this data on account creation and so do we... so we just present the user with a lock out until they give it to us.

Persona could potentially note at login time that you require that information to create an account, and thus require supplying it before attempting to log in.

That said, looking at what your site does, why do you need that information? I can understand why you want it, but what functionality of your site won't function without it?

Yes, we require it. Having the persons name is obvious. For the rest, the site is very specific in its purpose, which is to allow people to register for USA cycling events.

There are some crazy rules around who can enter which race (based on age/sex) and we do our best to help guide people into the right event during registration.

Location is a nice to have so that when we show the list of participants, they can see where each person lives. Future versions of the site will use this information to help people connect with ride sharing to events.

Keeping the UX of asking for this information within our site makes sense when logging in with Persona since it doesn't have the social networking aspects that Facebook has. Most people who are entering bike races won't lie about their age/sex on Facebook (because bike racing is a relatively small community), so generally this information is pretty accurate. Once someone gives us their USA Cycling license number we also validate against the database we have of that information too.

What is the self-hosted equivalent of this ? I have been struggling with this problem quite a bit.

I have a bunch of web apps which are quite a bit different - off the shelf forum software, wordpress, custom code, etc. - and I want to tie them all together using a single signon. What should I be using ? I distrust myself enough to know that I would prefer not rolling my own security protocol.

I know that there are solutions like Kerberos, etc. but is it really practical for a bunch of websites running on Rackspace + EC2 ?

Which pieces do you care about being self-hosted?

If you use Persona on all your sites, it feels very much like SSO.

I use the browserid plugin (http://wordpress.org/extend/plugins/browserid/) on my personal Wordpress site.

We actually had an SSO project based on CAS v2, which we killed because Persona was a better solution.

I agree about the Persona bit, but many times you are not ... shall we say "allowed" to.

Since you built an SSO, could you point me in the right direction amongst self-hosted solutions. Some comparisons and pitfalls would be most welcome.

Can someone explain how this is distributed and not using a central "authority"? I know it caches things locally, but it still requires Mozilla's Persona.org servers, correct? And you need a password that Mozilla stores, so aren't their servers still vulnerable? And couldn't (dumb) people still choose "123456" as their persona password? I understand that this makes the sites with crappy security implementations better, but some of the weaknesses are still there, right?

It's fully distributed because the identity provider is your email domain. When joe@gmail.com logs in, gmail.com could be the only server that the system interacts with! This is described here: https://developer.mozilla.org/en-US/docs/Persona/.well-known... Gmail may or may not choose to become an identity provider. That's ok too. In that case, a secure Mozilla server (with a sane privacy policy) will broker the email verification instead and thus can vouch for the user's identity.

I believe the aim is to have email providers be able to auth your persona email instead of Mozilla, but Mozilla exists as a sort of polyfill if the provider (eg. hotmail.com, gmail.com, your-custom-domain.net) doesn't do persona yet.

Also, yes: people can still choose crummy passwords. Personally, I don't think the appeal is in better security; it's convenience of single sign-on without it being tied to a. identity or b. Facebook (or twitter or google or whatever other service that harvests my data).

Right, but the email providers are only authenticating you to Persona. As far as the websites using Persona are concerned, it's persona.org that authenticates you.

And the appeal that Mozilla is pushing is definitely better security (as well as a distributed security authentication versus one for-profit authority - I definitely trust Mozilla MUCH more than Facebook or twitter, but it's still a central authority). You can especially see this in the talk they gave introducing it: http://www.youtube.com/watch?v=iZBTc7iEkQY

As a website you can do local verification of the log in assertion.

Mozilla hosts a verifier as a convenience, but you don't have to use it.

But the assertion only gets sent if the user logs in to persona first (with their email and persona password)

Ah! Right. There is no Persona password if your email provider supports Persona natively. If your provider has native support, you only authenticate with them, and the site you're logging into sees a credential issued by your provider. Mozilla is completely out of the transaction in that case.

You can try this yourself with a demo identity provider we have at http://eyedee.me/

I thought [1] Mozilla Personas were themes?

[1] http://www.getpersonas.com/en-US/

Evidently I need to pay more attention.

Someone needs to make a Persona Persona. We're our own worst SEO enemy :)

The Firefox themes were renamed to... background themes. It's just that the addons team (which owns getpersonas.org) has been hard at work on the new Mozilla Marketplace, and the Persona team has been hard at work on Persona. A few of the Persona devs are going to hack on this next month and try to get a disambiguation page deployed. We don't want theme-seekers to get lost, but we also don't want to lose people looking for the authentication system, so a straight 301 isn't ideal.

This link posted says they are looking to rename Personas to something different, but it doesn't look like its actually happened yet (or what it will be called). Given that the getpersonas.com website is still calling them Personas, I'd say the Personas name is still alive and well (and easily confused with the new Persona product)

I told them that they need to rename it with a 301 several weeks ago. They haven't. sigh

Speaking of themes, how easy is it to customize the look&feel of the login prompt? It may be odd for the user to see an entirely different site when they try to sign-in to a site.

I think the general idea of building better auth into browsers is a wonderful and highly necessary development. However, this implementation will completely fail if the user has JavaScript blocked and there is no fallback. And yes, this is a real issue. (Though I will probably get a lot of replies that try to dismiss it in various ways.)

That's a great point. Persona doesn't work well in non-JS, non-browser contexts, yet. The nice thing is that you can use it for progressive enhancement. Users have JS? Auth with Persona. Users don't have JS? Use a traditional email address / password system.

So long as you can associate email addresses with accounts on your backend, you can use Persona with the same database you have right now.

Persona doesn't work well in non-JS, non-browser contexts, yet.

So are there built-in, HTML-only versions for this in the works? It seems it should be possible to build some of this functionality into the browser, making it work without JS.

The nice thing is that you can use it for progressive enhancement. Users have JS? Auth with Persona. Users don't have JS? Use a traditional email address / password system.

I wouldn't call that progressive enhancement. Depending on whether the client has JS enabled, they would go through entirely different registration and auithentication processes, using different credentials. That can be very confusing to the users.

Is there any way to use it for say an iPhone app interacting with web services authenticated as a user?

There have been iPhone (pancake) and Android (soup the AMO marketplace) apps and you can find the source in github.

We're working on an iOS SDK, to make this polished and easy.

Patches welcome, get involved!

* mozilla.dev.identity mailing list * #identity on irc.mozilla.org

Interesting changes to the API. We now have an observer API, instead of just a function that invokes the login window.


I believe this merges the old BrowserID Session Management parts with Persona, or am I wrong?

Yep! The Observer API does session management automatically. (Some folks don't want that, so the previous `.get()` API is still available.)

I’m not in love with Persona because it puts everyone’s eggs in one basket.

I like OpenID because it works like email — choose whichever provider you fancy. If one goes sour or a nicer one pops up, websites don’t have to add support it before you can use it. And, websites can choose to expose nice “sign in with X” buttons instead of making you type in your OpenID address to sign in.

On the other hand, I realize that Mozilla has made big advances in ease-of-use (for users and developers). I just hope those advances turn into an open protocol someday.

P.S. I had a fleeting hope that they were announcing browser extensions (with a fallback to the way it works now). There’s still a risk of sketchy websites phishing for your Persona login.

- - -

All right, clearly I need to read some more docs. I apologize for making unfounded complaints against what seems to be a pretty darn awesome protocol.

> I like OpenID because it works like email — choose whichever provider you fancy.

Persona works like email because every identifier is an email address, not an opaque OpenID URL. You don't have to have the NASCAR-esque "Sign in with OpenID Provider X, Y, or Z" login page if users can actually use an identifier that that already know. :) (To be fair, OpenID Connect is working on fixing that problem)

> I just hope those advances turn into an open protocol someday.

You're in luck! :) The protocol is open and completely decentralized: https://github.com/mozilla/id-specs/blob/prod/browserid/inde...

Mozilla operates a few centralized services to solve the chicken-and-egg problem while bootstrapping, but they're completely optional, and they automatically fall away when a browser or email provider have native support for the BrowserID protocol.

> Persona works like email because every identifier is an email address, not an opaque OpenID URL. You don't have to have the NASCAR-esque "Sign in with OpenID Provider X, Y, or Z" login page if users can actually use an identifier that that already know.

OpenID URLs need not be opaque - I use my regular <realname>.com URL as my OpenID, and have a stub in the HTML of /index.html that points to the provider that I want to use when I authenticate (which I can change any time I please). It's called delegation. I think using DNS as an identifier is better than email (as that's kind of what it was built for), but not a viable option for the masses. Mozilla did a good job with Persona.

Not everyone supports that though. I do the same thing for OpenID, and sites that "support" open-id like The Verge cannot figure out mine in that way.

I believe different providers other than Mozilla can host it, and you can use one of them instead of Mozilla. That works just like email hosting. Persona is an API-level protocol. Whoever implements it can host it. It just means the end users need to maintain a separate password entry with the other hosting provider.

What? You didn't even watch the video?

It's decentralized. It's an open protocol based on an older open protocol.

As far as I understand http://lloyd.io/how-browserid-works , the browser will hold a "certificate of ownership of the email". Since browser do not yet implement Persona, it is done in javascript with https://login.persona.org/include.js .

I do not yet understand what prevent me to steal these 'certificate of ownership of the email' by creating a web site with my own version of 'include.js'. In this malicious version, the "Assertion Generation" also send the private key to the server. After that, the server can uses the user login as he wants. It seems there is a timeout, but it allow the malicious server to log so long the time out is not ellapsed. Where I'am wrong?

I can see why they're calling it a beta release. The UX during creating a profile on developer.mozilla.org has several rough edges. For example:

  1. Clicked "Sign In" and successfully create a Persona account.
  2. Created a profile on MDN, with the wrong user name (oops).
  3. Cancelled my Persona account in a separate tab.
I'm still logged in on MDN and the "Sign Out" button doesn't work now. After 5-10 minutes, I get a "Permission Denied" page, which is correct, but not exactly the expected workflow.

Also, LastPass doesn't seem to play well with Persona, but I'm hopeful it will in the future.

If I understand correctly, the browser stores a certificate that proves you own your email address. These certificates are only valid for a certain amount of time, even if you check that you own this computer. So what happens when your cert expires? Do you have to go back to your email and re-click the link that gives you a new cert to be stored in your browser?

Also, if I'm using a public computer, is there a way for me to manually revoke a cert when I'm done using the machine? It seems that even a 1hr expiry is too long for this case.

This is the part that gets kind of confusing because there isn't a clear delineation between Persona the UI and Persona the fallback identity provider (IdP).

When your cert expires, you need to get a new one from your IdP. If you already have an active session with your IdP (either by logging into your webmail, or clicking the "this is my computer" button for Mozilla's fallback), then your browser can get a new cert completely invisibly.

If your session and your cert have expired, then you get prompted to authenticate again. For the Persona fallback, this means you'll be prompted for your Persona password (instead of sending you back to your email, because that's super annoying and users end up not logging into your site). If your email provider has native support for Persona, then you'll get prompted by them however they normally do login.

> I'm using a public computer, is there a way for me to manually revoke a cert when I'm done using the machine?

Go to login.persona.org and click "sign out." We're working on universal signout (at least for users of the fallback), but I'm not sure if that's landed in production yet.

Thanks for the detail, I really like what I see with Persona so far.

I get the impression that verifying your email address only needs to be done once when you first sign up with Persona and create a password. When you use Persona to log in to a site for the first time in that browser, it prompts you for your Persona password and issues a certificate on success. If that certificate expires, I presume you would have to use your password again with Persona to get a new certificate.

I haven't found anything about manually revoking a cert, but I haven't looked either.

In the case of the Javascript shim, the certificates are stored in the browser's local storage. In Firefox (and I believe in most other browsers), this gets deleted when you clear cookies.

So you can do that before you leave that public computer, or you can use private browsing / incognito mode so that cookies and local storage stay in RAM and disappear when you exit.

Oh, This is perfect. Today was Persona implementation day for the project I'm working on and now this announcement comes. This is great for a developer area login.

As a user I definitely appreciate the emphasis of privacy first as well as its clear responsibility for identification. However, from how I see it on the surface, it currently doesn't have the market reach as, say, FB Connect or Google, and I don't want to "flood" my users with too many options for authentication. What's the practical arguments of rolling out my own authentication (Rails + Devise) vs using Personas?

It's available to any user with an email address -- you don't have to limit yourself to users that have, and are willing to use, a Facebook or Google account.

Versus rolling your own, you don't have the friction of account creation / password management for new user signups if the user has ever used Persona before, and we'll be dramatically improving first-contact before the end of the year. You can completely forget about storing passwords. You don't have to send email verifications or handle forgotten passwords.

Ah so true, email verifications and forgotten passwords can become a hassle. Thanks for the insight callahad.

What if I don't want a site to know my email address? I currently create unique email addresses for each site. How do I do that with Persona?

It looks like it'd be pretty easy to continue that practice -- just verify more than one email address, and pick the correct one when signing into each site. Try it here: http://myfavoritebeer.org/

Also, there are Mailinator-like services: https://mockmyid.com/

Exactly. And there's even this service that tries to automate this into Persona: https://github.com/nmalkin/janus

I'm fairly new to persona too, but when you "sign in" it lets you choose what email address to use.

I can not get Persona to work. I go to Mozilla developer network: https://developer.mozilla.org/en-US/ , see the login button and click on it and it redirects me back to the same page. I am using Firefox 15

The first run on MDN can be a little confusing.

Does it work for you on http://crossword.thetimes.co.uk/ ?

If not, we'd love to help identify your issue https://github.com/mozilla/browserid/issues/new

Yea - there was nowhere for me to sign up. I think the problem may be the pop-up did not work on Firefox. I used Chrome and was able to create an account and then everything worked. I also tested on IE8 and had some javascript error, but just hit refresh twice and was able to login.

That intro video really doesn't explain much. I know it takes 15 minutes to integrate into my site, and works with any browser, but I have no idea why I truly want to spend those 15 minutes doing so.

Perhaps making signing in to websites really simple, in a way that verifies the users email address to the site, isn't a good idea. Once it's widely adopted spammers will start using it.

I don't know if it's appropriate but can we list some of websites where one can login through browserID? I 'm a big fan of browserID, and would gladly beta test your integration.

Sure thing. In addition to many of Mozilla's own sites, here are some examples:

- Times Crossword: http://crossword.thetimes.co.uk/

- Openphoto: http://current.openphoto.me/

- Voost: https://www.voo.st/

Our test application is this notepad application: http://123done.org/ (which you can clone from github)

Been using it for a while on http://noteplz.com/ too

For those of you asking, you can find some more background on how BrowserID here:


This looks really great. Only problem I see is the lack of support for IE 6 and 7, and it seems they won't be in the future. Anybody knows why that is?

The Persona cross-browser support shim needs window.postMessage and the HTML5 storage APIs, which IE 7 doesn't have. Working around it didn't seem worth the security and maintainability cost to the codebase, nor the opportunity cost over working on other features.

Seems pretty interesting, though I have to say that watching only the introduction video gives you basically NO IDEA of what the product solves or how.

I wonder if this will be developed into a standard, or whether Mozilla will have to be the only ones operating this service.

Am I entirely missing something, but once a password is selected, is there no way to change it?

You can manage your account (e.g. change password, remove emails) by signing into https://login.persona.org .

Apparently you can by going to http://persona.org

I would love to see this working.

I dislike that a Google search for "Mozilla Persona" returns Firefox Personas first, meaning that Mozilla now has 'Persona' and 'Personas' projects that are totally and completely unrelated to one another.

Something has to give because if it confuses a Hacker News reader, it's going to go completely over the head of the average computer user.

Supposedly, end users will only face the "login with browserid" buttons. But yeah, i find the name change from browserid to Persona, as first time users will be confused.

the "check the documentation" link goes to https://developer.mozilla.org/it/Persona which 404s for me.

Maybe not redirecting based on user location by default is a good idea.

Odd it worked for me and redirected to https://developer.mozilla.org/en-US/docs/Persona

Doh, I'll update the MDN links to go to the en-US locale by default. Sorry about that :(

Beta? I've made my own persona years ago: http://www.getpersonas.com/en-US/persona/95515

Have the fixed the fact that it doesn't support autofilling passwords? That alone makes it more annoying than any captcha that I've ever had to fill out.

Find it hilarious that this got marked down and yet it's something Mozilla have spent the last week moving towards getting this fixed.

how does it work with multiple users using the same browser?

When you click the "Sign in with Persona" button on a website, the dialog that pops up has a "This is not me" button which logs out the current user and allows you to login with a different email.

Does Persona do MFA?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact