The services that they're switching their focus to are also crucial for the open web. Firefox needs them to be competitive, and the open web needs a competitive Firefox. But it feels like putting Persona on the backburner—especially when it comes to UI integration in the browser—is letting a pivotal moment pass us by, and I don't think identity on the open web will recover.
If you held a donation drive for Persona browser integration, the donations from Hacker News alone would fund it.
However other organizations can and do work towards the same goals. I'm one of the creators of Tent which shares a lot in common with Persona (including some community members) but is more ambitious in many ways.
In the Persona AAR Mozilla identified several reasons for Persona's failure to gain adoption including that Persona " can't offer the same [as Facebook Connect] incentives (access to user data)". Tent's primary purpose is as a user data store and also supports features like address changes automatically (which Persona never did).
We were fans of and friendly with the Persona team, but I believe the best solutions to these problems will come from teams that aren't afraid to think bigger than Mozilla's strategy at the time allowed.
The work of federated identity solutions will continue on Tent and other projects, many of which are probably better suited for a wide variety of users and products than Persona would have been. Of course none of us have (or are likely to gain) the level of institutional (or financial) support that Persona had.
> Persona " can't offer the same [as Facebook Connect] incentives (access to user data)"
That sounds like a feature. Gathering ever-creepier amounts of personal information to serve marginally-more-effective ads is a losing game.
Oh please, it's not as if Tent wasn't entirely germane to the topic of conversation. People plug their stuff all the time on HN, and as long as there's disclosure and it's relevant, I don't see the problem.
Also, you're missing the fact that users aren't the ones building services. A service that doesn't attract any services is useless to users. I'm not saying that Persona fits that description, but it's a fair point to bring up in terms of the spectrum between compromise and ideological pureness.
Its not, really. Its more the absence of an undesirable cost -- which is an advantage to end users, only if they get the benefit, which is access to services. But if the services don't adopt it because alternative log-in schemes that offer them more (both in terms of pre-existing user base and data from that user base) then what it really offers users is a "single sign-on" with nothing to sign on to.
I think if there truly was a pressing need for Persona, we would have seen it get adopted rapidly and quickly. That's exactly what happened with Firefox. That's also what happened with Thunderbird, although to a lesser extent.
Openness is ideal, but it also requires some demand for that openness. Open systems that aren't adopted are really quite useless.
We can always take the wrong path, and find it hard or impossible to get back.
We may see an end to a single globally compatible internet in our working lives, we may see an end to strong encryption on devices not years old. Any legal action against these ends is surely something to celebrate?
But then never implemented it in Firefox, even as a default-off optional feature.
It looked very half-hearted, and that was a really bad signal to the world.
And you're right, it appears to send the message that Mozilla did not see enough importance in federated, user-controlled identity on the web to make sure it landed in the desktop browser. But Mozilla, like all organizations, has to balance its priorities. There's a lot going on, and the decision was made that other projects would take priority. I hope the decision is revised in the future.
If it looked half-hearted, I can assure you it was not from lack of effort or dedication from the team. We believe in Persona and poured our hearts into it.
Really? What do you base that statement on?
So when resources are diverted away while there's still work to do, you should see red flags and look for better focus right away.
tldr; we couldn't get it to work.
Let's get something straight first. I'm not a fan of excuses. Persona failed to achieve its goals, and I'd rather we own up to what it was good at, and what it failed at, learn from it, and keep fighting for better authentication on the internet because that's what matters. We play to win at Mozilla based on the principle that to have influence in a market, you need adoption. We're willing to play the long game when we have some line-of-sight to success, in other words, but it was clear that even if we had a team of 100 on Persona we were not going to see adoption.
Persona was never close to being shippable on desktop. It's true that we spent effort trying to make Persona work for Firefox OS, and that effort did not result in a fantastic on-device experience. Sign-in to web? Yes. Sign-in to device? Not so much. Federated login is really hard, unsurprisingly, for UX reasons as much or more than raw technology reasons. This is difficult stuff, and changing user expectations about how an "account" works is very, very difficult.
As the AAR linked to in this post iterates, there were a lot of factors involved in why Persona never took off, but most important was the 3-way cold-start due to needing large numbers of users, supporting IdPs (email providers), and many RPs (websites) before the system as a whole could get to critical mass. There was simply no evidence at all that adding a native implementation would have pushed any of the large IdPs (i.e. email providers) to support the system. In fact, the opposite is true; when we decided to start offering more Firefox services ourselves we effectively had the kinds of authentication/authorization challenges any large IdP would have and we found Persona unfit for our needs. (entropy generation as one example, covered in the FAQ)
We could have kept adding complexity to Persona to support Firefox/Mozilla specific use cases, but I believe we made the right call and let Persona focus on its core value prop - sign-in to the web with a verified email. We spent time and money to stabilize and fix inconsistencies in the API, and signed up to continue running the core secondary service for the Internet. We've invested heavily, and continue to invest in pushing identity on the web forward.
One last comment: It's important to note here that we did choose the underlying BrowserID protocol for use with Firefox accounts, incurring significant engineering cost (supporting your own authentication stack is not free), so that if we're successful in becoming a large IdP, we get a chance to fight this federation fight again without being in an adoption stalemate next time. Will that future system be exactly Persona? Almost certainly not -- we have to be willing to iterate the design and protocols until we've got something that works -- but we do believe that BrowserID/VEP is the right technology to be building from, and that we should let Persona continue to fulfill its current sweet spot for sign-in to the web for sites that love the way Persona works.
Over at FastMail we seriously looked into implementing Persona across the board. We're one of the bigger "small" email providers and we figured that it would be a good thing to get in on the ground floor if it succeeded, and have a(nother) feature to differentiate us from our competition, and to be able to give feedback on the system from the iDp perspective.
The hard requirement for HTTPS or DNSSEC is what raised the bar too high for us in the end (see https://github.com/mozilla/persona/issues/1523 for more info). Basically, the domain owner needs to securely delegate to the identity provider. Since we provide DNS and basic web hosting for most user domains, that means we have to provide HTTPS certificates for every domain we manage (and at least one IP per domain) or be able to serve proper DNSSEC records for every domain we manage (difficult when many registries we use still don't support it).
DNSSEC is something we're working towards, and I'd really like to have full support available this year. HTTPS without needing one IP per domain and multiple certificates is still not yet feasible, though there are specs gradually coming down the pipeline for it (DANE, DNA, POSH, etc). Without all this tech in place, Persona seems to be a non-starter for a IdP that wants to manage lots of domains.
I don't blame the Persona guys for this. I know they tried and they got a lot of it right, and should be applauded for that. Maybe the next round of federated authentication will work. I have no idea, but I know we'd still like to be involved, and we'll be watching the space with interest.
We'd love help! There are some get involved links at the bottom of our MDN page: https://developer.mozilla.org/en-US/Persona
I for one can't wait to see what the open source and HN community does with Persona and also can't wait to see what comes out of the Identity team as a result of this transition of focus.
An SSO that provides no information other than a confirmed email would be ideal for user privacy, but app developers implementing SSO stand to benefit from the existing social network data of their users, and subsequently exclude Persona from their SSO options.
I just don't think that there's any significant demand for this product, realized or unrealized. People know about it, and people could choose to use it, but doing so would likely not make them sufficiently better off.
Maybe that's not ideal, from an ideological standpoint or when it comes to "openness". But I think it is the, perhaps unfortunate, reality. It really doesn't make sense to endlessly waste resources on a product that has been proven to be unwanted, or at least not valuable enough to use.
I'd have thought the whole point was to target people who didn't want a centralized system.
I hope the Google and Yahoo bridges are reconsidered. On paper they're a good idea but in a practice, they add further complication and confusion to a concept that's already alien to most users.
Persona is a great idea on paper, but my outsider's perspective is that it has been very very challenging to implement in practice. The BrowserID protocol works great. User experience and login state management has been a bumpy ride.
I've never used a more simple SSO system before.
(We do have patches ready for those issues. They'll go live as soon as we work out some deployment kinks and finish upgrading our production servers to Node 0.10.)
(Just mentioning this as I think it might help adoption if the project is more upfront about rough edges.)
The main Persona project: https://github.com/mozilla/persona
The Gmail bridge: https://github.com/mozilla/persona-gmail-bridge
The Yahoo bridge: https://github.com/mozilla/persona-yahoo-bridge
(I'm not affiliated with the project, just a long-time user.)
I was asking why there is not (or at least not that I've found) a summary of the state of play in a prominent place.
I could have read through several hundred issues to determine that I'd run into some rough edges with these bridges and that perhaps I should come back later. Instead I find these rough edges when I dive-in, and now I wonder what other shortcomings are not being mentioned with the same gusto as the projects wins.
I hope that clarifies my prior post.
really? you've never seen the countless amount of "connect with <facebook|google|yahoo>" using oauth?
They have one step less, are totally not federated, don't allow you to use your own email and have a bunch of downsides for the user.
But they are simpler.
(also, I remember logging in with yahoo/google email+openid years ago, that was exactly as simple)
I do not understand your reply, sorry.
Without Mozilla to really champion it, it's dead
edit: so, anyone have a near alternative, that is open source, to invest time into that either will get browser uptake, or won't need it?
Show me how to integrate it with a simple code snippet on the front page (and if it's not simple.. it needs to be). Honestly my eyes glazed over a little bit looking at the implementation details. Clearly it's not that hard, but the second thing is motivation which leads to..
Show me a video on the front page of how simple it is for users to login, and how any server can act is the authentication provider. It's too hard to understand the need.
I guess these are just personal suggestions but I think UX is the only thing holding Persona back.
(PS: Because it's email based, there's absolutely no lock in. Want to migrate away from Persona? Just add a password column to your database. But we hope it won't come to that.)
My question for you all is what do you think could be supported once it has been depreciated?
So XULRunner and Tamarin did not pan out. But we have lots of hits, some still ramping up: Firefox, Firefox OS, Gecko, Servo, Rust, Fennec, various SpiderMonkey iterations including OdinMonkey for Emscripten/asm.js, PDF.js, Shumway.
Negative results are important in science, as roc blogged once (he cited a "Journal of Negative Results", in one of the physical sciences I think). Let's learn from them and make better results, not deny that they happen or keep on banging heads against stout oak trees....