Mozilla Persona _should_ have been the successor to OpenID. It solves almost all of the problems with OpenID, which were:
1) The NASCAR problem. Arrive at a page for a site you signed up for with OpenID and be totes confused: which "openId" did I use for this site?
2) The privacy leak: If you used your Google OpenID, now Google knows that you logged into someotherplace.com with your "openid"
3) The ID problem. Wait, what? Yeah, like, how does someone keep track of which "openid" ID is "me".
The final problem is that not many people will write a full implementation of it other than the big players like mozilla itself or Google or Microsoft. And the latter two don't have a ton of incentive to do so.
So, how to do we revive Persona? I mean, it's still around, but it's been kind of back-burnered by Mozilla.
The odd thing is that I didn't even know it existed until this whole conversation about Google dropping OpenID came up...and I use Firefox as my browser across all my devices, I use sync, I use Thunderbird, I follow the Firefox OS development with interest, and yet, I had no idea Persona was a thing.
I've always been uncomfortable with Google and Facebook being my "identity" provider, and I've been equally uncomfortable with the fact that they would happily provide those authentication services but won't accept them (i.e. I can login to thousands of services using my Google or Facebook account, but I can't login to Google or Facebook with any other service account). I simply don't like Google and Facebook owning my online life, but the convenience of it often trumps the ethical and privacy implications. I have, thus far, avoided integrating Google or Facebook logins on my sites because of the ethical implications, but I hate making my users keep up with passwords and usernames.
Why aren't more websites supporting Persona?
For my part, I plan to integrate Persona into the next version of my company website launching early this year, as well as our wiki and blogs. I may even try to figure out how to fit it into our products, somehow.
I found the following, seemingly maintained, extensions for Persona support in the apps I use for the websites I maintain:
I wrote an Mozilla Persona integration in Clojure with Tom Marble (of the OpenJDK evangelist fame at Sun) and friends at the Clojure.MN meetup a few years ago, here:
It was actually a snap to implement. I did most of the coding at it took me maybe a few hours total and I NO idea what I was doing at the time. So if you want to USE Persona or integrate with Mozilla's implementation, there's nothing stopping you.
Writing the full stack of a Persona implementation is a many week to several month job for a half a dozen member team not only for development but from an infosec point of view.
On the provider site of the equation, I wrote an "identity provider as a service" app that you can just drop in to your existing domain by adding a single file:
It allows all your users to log in to Persona-supporting sites with their @yourdomain.com address, bypassing the bridge, and supports various nifty features like catch-alls, two-factor auth, etc.
> So, how to do we revive Persona? I mean, it's still around, but it's been kind of back-burnered by Mozilla.
Push for it. Implement it anyway. Work on it and write to Mozilla giving your thoughts about it. Whenever authentication is mentioned on HN, write about Persona and why it's still relevant.
That's the best you and I can do. Best of luck, we'll need it...
> So, how to do we revive Persona? I mean, it's still around, but it's been kind of back-burnered by Mozilla.
Come up with a way to market it that makes sense to your mother in under 10 seconds. The "why the heck is this better than the Facebook button" is something Mozilla marketing couldn't crack, and until that gets solved you can't get the "who the heck is Bruce Schneier" crowd to switch.
The final problem is that not many people will write a full implementation of
it other than the big players like mozilla itself or Google or Microsoft.
And the latter two don't have a ton of incentive to do so.
When I see such a proliferation (I looked at one architecture image of OpenID.connect and was shocked) than I am reminded of SOAP and I again think, that one reason might be, to hold smaller players at bay -- and to give the bigger players an advantage. For Facebook, Amazon or an other big internet company, it is really easy to even implement a big stack of software with complicated architectures and many features -- but for a four people start-up it is a big problem.
Honestly, if you already have a working OAuth2 server implementation, adding OpenID Connect support to it is not difficult. For oauth2-server-php, the OpenID Connect extension is a few hundred lines.
On the client side, there's a glut of OpenID Connect implementations for various languages, or you could outsource it to the likes of mod_auth_openidc for Apache, or a node.js proxy using Passport, or whatever you'd like.
Once a user is authenticated, which can be handled by the libraries just fine, the rest of the data model is simply OAuth2 and a key/value list of claims about the user. I'm not sure how anything is pushing smaller players out, so long as those players are willing to use MIT (or equivalent) licensed code?
I added persona login to Simple (a Python blog I maintain). It was super simple and painless[1], much better than the basic-auth I was using before. This makes me wonder why nobody is using it - is it a marketing issue?
Persona is/was great. It's hard to get a grassroots/delegated identity service off the ground when everyone has a Facebook/Google account (and doesn't understand the privacy tradeoff). The lack of support for delegation (the original use case for OAuth) was also a problem.
I don't believe Mozilla gave it a good go, though. Hell, we didn't even get native Firefox support for it, which was planned from the beginning. They just sort of gave up on it.
1) The NASCAR problem. Arrive at a page for a site you signed up for with OpenID and be totes confused: which "openId" did I use for this site?
2) The privacy leak: If you used your Google OpenID, now Google knows that you logged into someotherplace.com with your "openid"
3) The ID problem. Wait, what? Yeah, like, how does someone keep track of which "openid" ID is "me".
The final problem is that not many people will write a full implementation of it other than the big players like mozilla itself or Google or Microsoft. And the latter two don't have a ton of incentive to do so.