Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Persona, the protocol, doesn't actually rely on your email account's password. It uses the domain from your email account to figure out how to authenticate you; if you want to use some other way than via your email, that's fine.


That's correct. However, the security of any Persona-enabled site is tied to your email account's security through Persona "forgot password".

This is my concern; a compromised email account means a compromise of your account on every Persona-enabled site.


> … through Persona "forgot password".

That’s just how their fallback provider works. BrowserID — the protocol — does not rely on email in any way. There’s no guarantee that if you have valid assertion for joe@dns.tld there’s also an email account by that name.


The password that I create when I setup persona is for what exactly? It doesn't seem to be used at all after the creation a persona.


If you log out, that's the password you'll use to log in again. The login session is good for a while so you can continue to login with already-authenticated identities (and you can have as many as you want) on persona-enabled sites.


Thanks for clarifying. I was assuming that was the case but the login/creation page needs to have a graphic or a narrative talking about what it does and how the process works a bit more before it reaches a more public audience. As a software developer I had an idea of how the thing worked but it wasn't spelled out enough. I understand that it's beta but the whole thing is weakly documented from a user's standpoint as to why it should be trusted.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: