Hacker News new | past | comments | ask | show | jobs | submit login
Transitioning Persona to Community Ownership (identity.mozilla.com)
138 points by 6a68 on March 7, 2014 | hide | past | favorite | 61 comments

Persona is one of the Mozilla projects that best exemplifies why we need Mozilla. They're the only ones purely dedicated to the future of the open web. The only foreseeable future for the web today is one where two or three gatekeepers control user information with no way out. Persona seemed like the best way to prevent that future.

The services that they're switching their focus to are also crucial for the open web. Firefox needs them to be competitive, and the open web needs a competitive Firefox. But it feels like putting Persona on the backburner—especially when it comes to UI integration in the browser—is letting a pivotal moment pass us by, and I don't think identity on the open web will recover.

If you held a donation drive for Persona browser integration, the donations from Hacker News alone would fund it.

Mozilla does a great job promoting open web standards and Firefox is the one of the best footholds the community and industry have against hegemony and stagnation online.

However other organizations can and do work towards the same goals. I'm one of the creators of Tent[1] which shares a lot in common with Persona (including some community members) but is more ambitious in many ways.

In the Persona AAR Mozilla identified several reasons for Persona's failure to gain adoption[2] including that Persona " can't offer the same [as Facebook Connect] incentives (access to user data)". Tent's primary purpose is as a user data store and also supports features like address changes automatically (which Persona never did).

We were fans of and friendly with the Persona team, but I believe the best solutions to these problems will come from teams that aren't afraid to think bigger than Mozilla's strategy at the time allowed.

The work of federated identity solutions will continue on Tent and other projects, many of which are probably better suited for a wide variety of users and products than Persona would have been. Of course none of us have (or are likely to gain) the level of institutional (or financial) support that Persona had.

[1] https://tent.io

[2] https://wiki.mozilla.org/Identity/Persona_AAR

Okay, spammer...

> Persona " can't offer the same [as Facebook Connect] incentives (access to user data)"

That sounds like a feature. Gathering ever-creepier amounts of personal information to serve marginally-more-effective ads is a losing game.

> Okay, spammer...

Oh please, it's not as if Tent wasn't entirely germane to the topic of conversation. People plug their stuff all the time on HN, and as long as there's disclosure and it's relevant, I don't see the problem.

Also, you're missing the fact that users aren't the ones building services. A service that doesn't attract any services is useless to users. I'm not saying that Persona fits that description, but it's a fair point to bring up in terms of the spectrum between compromise and ideological pureness.

> That sounds like a feature.

Its not, really. Its more the absence of an undesirable cost -- which is an advantage to end users, only if they get the benefit, which is access to services. But if the services don't adopt it because alternative log-in schemes that offer them more (both in terms of pre-existing user base and data from that user base) then what it really offers users is a "single sign-on" with nothing to sign on to.

That's essentially a quote from the link he provided to Mozilla talking about why Persona didn't gain widespread adoption

I'm not sure that the "need" you're talking about is a practical one, though. Maybe it's an ideological "need", at best. More than enough people and websites seem to be getting by just fine without using Persona.

I think if there truly was a pressing need for Persona, we would have seen it get adopted rapidly and quickly. That's exactly what happened with Firefox. That's also what happened with Thunderbird, although to a lesser extent.

Openness is ideal, but it also requires some demand for that openness. Open systems that aren't adopted are really quite useless.

That's nonsense - for thousands of years human civilisations have got on quite well without democracy or human rights. If there was a pressing need for equality and educating the Romans used to say, it would have happened by now.

We can always take the wrong path, and find it hard or impossible to get back.

We may see an end to a single globally compatible internet in our working lives, we may see an end to strong encryption on devices not years old. Any legal action against these ends is surely something to celebrate?

I never understood why Mozilla always talked about how great the future was going to be, when Persona would be part of web browsers.

But then never implemented it in Firefox, even as a default-off optional feature.

It looked very half-hearted, and that was a really bad signal to the world.

Mozilla Identity dev here. The reason for that was due to a large degree to time and priorities. We were close to shipping Persona preffed off in Firefox over 18 months ago. Then FirefoxOS came along and our focus was changed to implementing Persona as the sign-in system on the device (which we did; it's natively supported there). FirefoxOS has been a massive effort on behalf of the whole company, and it has diverted crucial resources from the Persona effort on desktop. Then we shifted our focus again to Firefox Accounts and revising Sync. A native implementation of Firefox Accounts should be landing in FirefoxOS 1.4. As a result, we have native BrowserID support (both Persona and Firefox Accounts use this protocol) in FirefoxOS and as a backbone in desktop Firefox. There is a lot of persona in Firefox right now, but sadly you can't see it. Despite these massive efforts, we still have not been able to land the last patches to surface this in the UI on desktop.

And you're right, it appears to send the message that Mozilla did not see enough importance in federated, user-controlled identity on the web to make sure it landed in the desktop browser. But Mozilla, like all organizations, has to balance its priorities. There's a lot going on, and the decision was made that other projects would take priority. I hope the decision is revised in the future.

If it looked half-hearted, I can assure you it was not from lack of effort or dedication from the team. We believe in Persona and poured our hearts into it.

Thanks for the info. I don't think anyone's accusing the Persona team of being half-hearted. Execution was great! But I will accuse Mozilla leadership of being tragically poor. It's nice to think about "sustainability" in a post-web world, but sustainability for Mozilla must start with Firefox. Mozilla is Firefox. And Mozilla has the billions to make it rock. So when resources are diverted away while there's still work to do, you should see red flags and look for better focus right away. When Apple was the iPod, we made damn sure it was the best possible iPod before anything else.

"And Mozilla has the billions to make it rock."

Really? What do you base that statement on?

They have a contract with Google that guarantees them $1B over 3 years.


1B is very little. I would focus on your other point:

So when resources are diverted away while there's still work to do, you should see red flags and look for better focus right away.

I'm not sure 1B is very little - it's thousands of programmer-years. It is weird to characterize 1B over 3 years as "billions" unless there are substantial funds coming from other sources.

That's the vast majority of Mozilla's income, you can check the publicly-available financials. It's small potatoes compared to the companies Mozilla competes against: Google, Apple, Microsoft.

Disclosure: the Identity team at Mozilla work for me.

tldr; we couldn't get it to work.

Let's get something straight first. I'm not a fan of excuses. Persona failed to achieve its goals, and I'd rather we own up to what it was good at, and what it failed at, learn from it, and keep fighting for better authentication on the internet because that's what matters. We play to win at Mozilla based on the principle that to have influence in a market, you need adoption. We're willing to play the long game when we have some line-of-sight to success, in other words, but it was clear that even if we had a team of 100 on Persona we were not going to see adoption.

Persona was never close to being shippable on desktop. It's true that we spent effort trying to make Persona work for Firefox OS, and that effort did not result in a fantastic on-device experience. Sign-in to web? Yes. Sign-in to device? Not so much. Federated login is really hard, unsurprisingly, for UX reasons as much or more than raw technology reasons. This is difficult stuff, and changing user expectations about how an "account" works is very, very difficult.

As the AAR linked to in this post iterates, there were a lot of factors involved in why Persona never took off, but most important was the 3-way cold-start due to needing large numbers of users, supporting IdPs (email providers), and many RPs (websites) before the system as a whole could get to critical mass. There was simply no evidence at all that adding a native implementation would have pushed any of the large IdPs (i.e. email providers) to support the system. In fact, the opposite is true; when we decided to start offering more Firefox services ourselves we effectively had the kinds of authentication/authorization challenges any large IdP would have and we found Persona unfit for our needs. (entropy generation as one example, covered in the FAQ)

We could have kept adding complexity to Persona to support Firefox/Mozilla specific use cases, but I believe we made the right call and let Persona focus on its core value prop - sign-in to the web with a verified email. We spent time and money to stabilize and fix inconsistencies in the API, and signed up to continue running the core secondary service for the Internet. We've invested heavily, and continue to invest in pushing identity on the web forward.

One last comment: It's important to note here that we did choose the underlying BrowserID protocol for use with Firefox accounts, incurring significant engineering cost (supporting your own authentication stack is not free), so that if we're successful in becoming a large IdP, we get a chance to fight this federation fight again without being in an adoption stalemate next time. Will that future system be exactly Persona? Almost certainly not -- we have to be willing to iterate the design and protocols until we've got something that works -- but we do believe that BrowserID/VEP is the right technology to be building from, and that we should let Persona continue to fulfill its current sweet spot for sign-in to the web for sites that love the way Persona works.

> "needing ... supporting IdPs (email providers)"

Over at FastMail we seriously looked into implementing Persona across the board. We're one of the bigger "small" email providers and we figured that it would be a good thing to get in on the ground floor if it succeeded, and have a(nother) feature to differentiate us from our competition, and to be able to give feedback on the system from the iDp perspective.

The hard requirement for HTTPS or DNSSEC is what raised the bar too high for us in the end (see https://github.com/mozilla/persona/issues/1523 for more info). Basically, the domain owner needs to securely delegate to the identity provider. Since we provide DNS and basic web hosting for most user domains, that means we have to provide HTTPS certificates for every domain we manage (and at least one IP per domain) or be able to serve proper DNSSEC records for every domain we manage (difficult when many registries we use still don't support it).

DNSSEC is something we're working towards, and I'd really like to have full support available this year. HTTPS without needing one IP per domain and multiple certificates is still not yet feasible, though there are specs gradually coming down the pipeline for it (DANE, DNA, POSH, etc). Without all this tech in place, Persona seems to be a non-starter for a IdP that wants to manage lots of domains.

I don't blame the Persona guys for this. I know they tried and they got a lot of it right, and should be applauded for that. Maybe the next round of federated authentication will work. I have no idea, but I know we'd still like to be involved, and we'll be watching the space with interest.

The above text, as-is, REALLY needs to go into the linked FAQ. Thank you!

Did the FirefoxOS Persona stack move away from having an iframe point at a remote location at some point? I mean, the API was still in flux, as far as I know (last thing I heard was lloyd's blog post in January; it seems to be mostly FxA since). If the core transport can't get narrowed down, people can't actually federate with it.

We implemented it in b2g aka FirefoxOS and the user experience is quite nice there. I agree that it should have been done on firefox desktop too.

Without it being an established W3C standard I think it would be disingenuous to integrate it into the browser. Despite its obvious benefits, it would feel like they're using their browser as a platform to push other products. Until it saw widespread adoption I think implementing it as a browser extension/add-on would be more appropriate.

The implementation of Firefox contains countless things which are not W3C standards.

Where do you think new standards come from?

w3c standards are for what gets rendered by Gecko. The browser itself has many things that do not involve w3c at all (search box, bookmarks, sync, etc.)

When you say implement in Firefox, did you mean instead of a popup, Firefox simply display an integrated login button in the browser?

Yes, without any Javascript, real native chrome.

One thing I want to add right off the bat: we're going to build new features, where "we" is some of the people who used to get paid to work on Persona + some people in the community.

We'd love help! There are some get involved links at the bottom of our MDN page: https://developer.mozilla.org/en-US/Persona

As a former Mozilla intern whom worked directly with Identity team on a daily basis last summer, I can say that this indeed hits close to home, though not unexpectedly so. I could see this coming. The Identity team has so many weird and wonderful things on the way for the broader Firefox audience that transitioning it to the community only makes sense.

I for one can't wait to see what the open source and HN community does with Persona and also can't wait to see what comes out of the Identity team as a result of this transition of focus.

Personally I think it's great that something like Persona exists. When Youtube switched over to require Google login, my comments started posting under my GMail username without any warning. When I sign into something with my Facebook account, the app will most likely ask me to invite all my friends to try out the app or post about it to my wall.

An SSO that provides no information other than a confirmed email would be ideal for user privacy, but app developers implementing SSO stand to benefit from the existing social network data of their users, and subsequently exclude Persona from their SSO options.

Does it really exist if no one uses it?

Yes, aka UNREALIZED demand.

Persona was launched in July 2011. It has gotten a fair amount of publicity in that time. Yet the adoption rates among websites and users are still very, very low.

I just don't think that there's any significant demand for this product, realized or unrealized. People know about it, and people could choose to use it, but doing so would likely not make them sufficiently better off.

Maybe that's not ideal, from an ideological standpoint or when it comes to "openness". But I think it is the, perhaps unfortunate, reality. It really doesn't make sense to endlessly waste resources on a product that has been proven to be unwanted, or at least not valuable enough to use.

Persona was launched in July 2011. It's been two and a half years, and they still haven't declared it safe to actually verify anything locally; you're still supposed to load a random Javascript file from their domain that will spawn a window with their contents.

I'd have thought the whole point was to target people who didn't want a centralized system.

This sounds like a bit of cop-out, but, maybe it has a brighter future than it seems.

I hope the Google and Yahoo bridges are reconsidered. On paper they're a good idea but in a practice, they add further complication and confusion to a concept that's already alien to most users.

Agreed. I recently had someone who refused to sign in (after paying for a subscription!) because they thought I was asking for their Gmail password. He ended up changing his account to a different email address specifically so he wouldn't go through the Google bridge.

Persona is a great idea on paper, but my outsider's perspective is that it has been very very challenging to implement in practice. The BrowserID protocol works great. User experience and login state management has been a bumpy ride.

My site (letscodejavascript.com) relies solely on Persona, so I hope it thrives, but I can't help being worried at this announcement.

I'm a little confused at how the process could be any clearer. Just trying to register on your site, I'm asked to enter my email address. Upon providing a gmail address, I'm redirected to a Google OpenID page. It specifically says that your site will be granted access to my email address, no more. By clicking yes (without being asked to enter my password anywhere) I'm authenticated.

I've never used a more simple SSO system before.

Thanks for the kind words! For most people, it works exactly like you described. Unfortunately, there are some rough corner cases for folks with multiple Gmail addresses, and the experience is less-than-stellar if you're not logged into Google at all when you start.

(We do have patches ready for those issues. They'll go live as soon as we work out some deployment kinks and finish upgrading our production servers to Node 0.10.)

Is it documented that there is some rough cases that are still being worked on? Diving off from https://developer.mozilla.org/en-US/Persona I don't seem to see a summary of the real world state of play.

(Just mentioning this as I think it might help adoption if the project is more upfront about rough edges.)

The projects are on GitHub:

The main Persona project: https://github.com/mozilla/persona

The Gmail bridge: https://github.com/mozilla/persona-gmail-bridge

The Yahoo bridge: https://github.com/mozilla/persona-yahoo-bridge

(I'm not affiliated with the project, just a long-time user.)

Perhaps I have miscommunicated.

I was asking why there is not (or at least not that I've found) a summary of the state of play in a prominent place.

I could have read through several hundred issues to determine that I'd run into some rough edges with these bridges and that perhaps I should come back later. Instead I find these rough edges when I dive-in, and now I wonder what other shortcomings are not being mentioned with the same gusto as the projects wins.

I hope that clarifies my prior post.

>I've never used a more simple SSO system before.

really? you've never seen the countless amount of "connect with <facebook|google|yahoo>" using oauth?

They have one step less, are totally not federated, don't allow you to use your own email and have a bunch of downsides for the user. But they are simpler.

(also, I remember logging in with yahoo/google email+openid years ago, that was exactly as simple)

I don't use Facebook or Yahoo, and wouldn't trust either of them to authenticate with a site.

but you trust google, which I listed in my previous comment. Also openid+email worked the same way with custom domains years ago the same way.

I do not understand your reply, sorry.

I had an idea they were going to kill Persona.

Without Mozilla to really champion it, it's dead

edit: so, anyone have a near alternative, that is open source, to invest time into that either will get browser uptake, or won't need it?

I disagree. Persona piggy backs on email system so it doesn't need a critical mass of users to be useful. Persona as a brand may not become widely recognizable with limited involvement from Mozilla, but some people argued from a beginning that it was a mistake that Mozilla tried to create a recognizable brand. The team succeeded at creating smooth email verification system. As long as Mozilla keeps servers running, quickly solves security issues and accepts patches with improvements from community, Persona will be used. I strongly believe it will organically grow and eventually will become a crucial part of the open web.

I'm curious as to why you think Persona, which is Free & Open Source Software, can't be that alternative?

As an early supporter I find this really sad. Persona is as good as dead without a big name behind it like Mozilla.

We don't deserve a technology as good as Persona.

The phrase "transitioning to community ownership" - which always means "we are dumping this" - is too odiously weasely for an otherwise respectable organisation such as Mozilla, and I do wish they'd stop using it.

I think the landing page needs more work.

Show me how to integrate it with a simple code snippet on the front page (and if it's not simple.. it needs to be). Honestly my eyes glazed over a little bit looking at the implementation details. Clearly it's not that hard, but the second thing is motivation which leads to..

Show me a video on the front page of how simple it is for users to login, and how any server can act is the authentication provider. It's too hard to understand the need.

I guess these are just personal suggestions but I think UX is the only thing holding Persona back.

I find the blog disingenuous. We haven't forgotten this https://news.ycombinator.com/item?id=7243021 Why not take another stab based on what you learned.

That exact link (the Persona AAR) is in the blog entry. It's in the FAQ under "Why has Mozilla stopped funding new feature development on Persona?"

That's why i cant use Mozilla techs,lot of projects started,few finished.(XULrunner ? Tamarin ? ...). Nobody is going to use Persona now.

I sincerely hope that's not the case. Mozilla Corporation is still using Persona internally, and still deploying new sites and services that rely on it. We think it's absolutely great for when you need simple, email-based authentication, and we're still fully supporting it.

(PS: Because it's email based, there's absolutely no lock in. Want to migrate away from Persona? Just add a password column to your database. But we hope it won't come to that.)

There's no lock in, but migrating away from Persona isn't quite that simple. You still have to educate users about the switch ("make a new password, and by the way, don't use your Persona password!"), then implement everything Persona provides: login form, password change form, email authentication, ...

If Mozilla did migrate away from persona, would the staff become less familiar with the details over time thus making the best effort support being offered by the community in sumo and being talked about here: https://support.mozilla.org/en-US/forums/contributors/710099

My question for you all is what do you think could be supported once it has been depreciated?

You have to be willing to lose in life. It's unrealistic to expect all hits all the time. If some organization or open source project seems too perfect, look for a "memory hole" where their negative results get flushed.

So XULRunner and Tamarin did not pan out. But we have lots of hits, some still ramping up: Firefox, Firefox OS, Gecko, Servo, Rust, Fennec, various SpiderMonkey iterations including OdinMonkey for Emscripten/asm.js, PDF.js, Shumway.

Negative results are important in science, as roc blogged once (he cited a "Journal of Negative Results", in one of the physical sciences I think). Let's learn from them and make better results, not deny that they happen or keep on banging heads against stout oak trees....

For me, XULRunner is a big success. I use it to run my own xul-based file manager (https://addons.mozilla.org/en-us/firefox/addon/fire-commande...) and I definitely want this tech to stay alive and rocking!

Fair enough, and godspeed. But it's not a product, and it won't be a big consumer platform. We've fed "XUL, the good parts" into the web standards, e.g., flexible box in CSS; and still are, e.g., Web Components.


Tldr; Persona is dead

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact