In principle, Persona is great. Not storing passwords is awesome, a non-FB/Google/Twitter identity option is important.<p>I would encourage you, though, to look carefully at your login completion metrics. I implemented Persona on my site (<a href="http://www.sixquestions.co" rel="nofollow">http://www.sixquestions.co</a>) to have a pure email option and although users clearly prefer it, about 35% complete the Persona login flow successfully. That's 10 points lower than our next-worst performer (Twitter), and half the rate of our best performer (Facebook). For all the concerns people have with authorizing Facebook/Twitter access, that is (in my view) offset by the alien-ness of Persona's login flow. We've heard from lots of users that logging in with Persona is unusual and they thought they were doing something wrong because they'd never seen anything like that.<p>So, as much as I believe in Persona, I'm about to deploy a change that removes it entirely. It adds a lot of surface area to our testing and future development, but if it means we lose fewer users in their signup flow, it will be worth it.
Persona is an elegant, powerful idea that is 100% in the users interest. I dearly want to see it gain traction. Kudos for disseminating your enthusiasm.
I've been using Persona as my sole login mechanism on <a href="http://letscodejavascript.com" rel="nofollow">http://letscodejavascript.com</a> for over a year. I <i>want</i> to love it, but I don't.<p>The goals behind Persona are excellent: strong privacy protection and relieving website operators of cumbersome and error-prone authentication management. I love the idea. It's why I implemented Persona on my site.<p>The execution of Persona has been a bit wobbly. Logins are critical infrastructure and it doesn't feel like Mozilla is approaching Persona from that perspective. The team has been <i>fantastic</i> (thanks, callahad) but when things go wrong, it can take a long time for them to get resolved. Meanwhile, I'm left scrambling for a workaround.<p>An example: when the Yahoo bridge was implemented, it broke Persona for everyone who used a Yahoo alias [1]. A nasty break that returned a non-helpful error message. Something that serious merits an immediate rollback, in my opinion--but instead, it was left in place for several weeks until a interim solution was rolled out. The interim solution has some fairly serious UX problems, but the full solution has been open for 10 months now [2].<p>I want to love Persona, and I can't really afford the time required to do my own authentication, but it scares me that I'm so dependent on it.<p>[1] <a href="https://github.com/mozilla/persona-yahoo-bridge/issues/178" rel="nofollow">https://github.com/mozilla/persona-yahoo-bridge/issues/178</a><p>[2] <a href="https://github.com/mozilla/persona-yahoo-bridge/issues/201" rel="nofollow">https://github.com/mozilla/persona-yahoo-bridge/issues/201</a>
<i>Persona vouches for you when you sign in. Really neat, no more password leaking.</i><p>The important thing here is that as Persona protocol (BrowserID)'s creator, Mozilla really really wants someone else (potentially <i>YOU</i> the user) to run the Identity Bridge. Currently Mozilla does this for non-Gmail and non-Yahoo users too boost adoption. So when you sign up you are asked to give a new password on sign up. If you are paranoid, you should of course give a new password instead the one you use for your email (which I assume may be reused for multiple accounts...)<p>But being able to authenticate yourself on your own is what makes Persona useful.<p><i></i>edit<i></i>: at realworld crypto, this was given as a talk. This is Google's possible direction.<p><a href="http://www.ietf.org/proceedings/81/slides/tls-1.pdf" rel="nofollow">http://www.ietf.org/proceedings/81/slides/tls-1.pdf</a>
Biggest problem I have with Persona is one of it's main selling points; if you log in to one place you're logged into all the places. That may sound great, but it really isn't. It means that you can log out of a site because you don't want people sharing your machine to have access to it. You then log into a different, lower-security site. Instantly that first site is accessible again.<p>I wrote a whole thing on Persona a while back ( <a href="http://lepidllama.net/blog/trying-out-mozilla-persona-browserid/" rel="nofollow">http://lepidllama.net/blog/trying-out-mozilla-persona-browse...</a> ) but that ended up being the killer for me. It might be fine for activities like posting comments on a blog, but any site which stores or presents some aspect of who am I to the world needs to be a bit more secure than that!
I guess this is just a sign that I am getting crotchety, but headlines like this just anger me:<p><i>Why we love/like X, And why you should, too</i><p>My immediate reaction is always something along the lines of, don't presume to tell me why I should like anything. Tell me why <i>you</i> like it, and be done with it.
I love Persona! I created a demo MVC3 application using Persona for authentication and its fantastic from a developers perspective.<p><a href="https://github.com/sergiotapia/ASP.Net-MVC3-Persona-Demo" rel="nofollow">https://github.com/sergiotapia/ASP.Net-MVC3-Persona-Demo</a><p>Authentication is simple to implement and you don't worry about user password protection.<p>I'm surprised interest has died down for the project given how easy it is to use. Maybe Mozilla should market it more?
Persona is _awesome_. I use it on all my sites.<p>But it also proof that being awesome not only is not good enough to be successful, but simply doesn't matter. The user is not interested in a solution that is awesome, but one that doesn't scare him. And a big ugly third-party popup is as scary as stuff on the web gets these days.<p>Remember Ogg Vorbis?
But, this doesn't solve the issue that you're still trusting someone else with your secret (your password).<p>We need to move towards protocols like SRP[0] in general so that no matter where I'm logging in, noöne has my password.<p>[0]: <a href="http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol" rel="nofollow">http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol</a><p>EDIT: As ubernostrum points out, Persona is solving a different problem than SRP does. However, one of the reasons different identities (username/password combinations) are encouraged currently is because providers can't be trusted with the secret of your password.
Last time I looked into persona, it was essentially unusable for my usage - there's no reasonable way to use a different email address to sign up for every site. I like to know who leaked my email address when I start getting spammed.<p>Edit: looks like they <i>may</i> have have fixed it: <a href="http://support.mozilla.org/en-US/kb/how-do-i-manage-my-persona-account#w_how-do-i-add-another-email-address-to-my-persona-account" rel="nofollow">http://support.mozilla.org/en-US/kb/how-do-i-manage-my-perso...</a><p>Though I'm not sure if it remains usable with hundreds of email addresses.
I don't get why persona needs its own branding... Nobody knows what persona is. It should say login with Firefox. Did fb create a new brand for its login system? No it's just login with fb, same with literally every login service except freaking persona. Use your most popular brand instead of forcing all developers to evangelize a new brand. That's just not going to freaking work.
How many people here know BrowserID/Mozilla Persona was based on the <a href="http://swiftlogin.com" rel="nofollow">http://swiftlogin.com</a> project? <a href="http://www.youtube.com/watch?v=dGQYHOzLMUk" rel="nofollow">http://www.youtube.com/watch?v=dGQYHOzLMUk</a>
We use it at Mighty Spring (<a href="http://www.mightyspring.com" rel="nofollow">http://www.mightyspring.com</a>) and it's pretty good! The documentation around backend setup is a bit confusing and doesn't cover some corner cases (like testing on dev servers) but with enough hacking you can get it to work. The front end plugin I went with (<a href="https://github.com/altryne/browserID-jQuery" rel="nofollow">https://github.com/altryne/browserID-jQuery</a>) needed a bit of tweaking (to both the code and docs, which was submitted to them), but other than that, relatively easy setup.<p>Our site is uniquely targeted at developers, so I felt that using Persona as a login option was only natural.
I use it for <a href="http://www.4four.org" rel="nofollow">http://www.4four.org</a> and really like it.<p>The one small complaint I would have is that it would be great if (after initial setup) the login process was a bit faster. It should be quicker than the old-school username and password IMHO, but with the animations and latency on authentication it all seems to feel a bit sluggish. Especially as the cookie for it expires frequently - which is a bit shit for users of a forum where you're normally signed in until you decide otherwise.<p>This is still in my minor complaint box because I suspect there's tweaks I could do which I haven't had time to explore yet.
If you're like me and this is the first time you're hearing about this, and want to know more about the implementation, check the bottom of this page:<p><a href="https://developer.mozilla.org/en-US/Persona?redirectlocale=en-US&redirectslug=Persona" rel="nofollow">https://developer.mozilla.org/en-US/Persona?redirectlocale=e...</a><p>Edit: I've checked out the login process in the linked site, and it works well, but the popup window U/I seems like it's ripe for phishing attempts. It would be very easy to replicate the look of that window and fool people into thinking they're using Persona when they're not.
The FIDO alliance is the other major industry standard that is being started.
<a href="http://www.fidoalliance.org/" rel="nofollow">http://www.fidoalliance.org/</a>
We used Persona for <a href="http://bit.ly/blibonline" rel="nofollow">http://bit.ly/blibonline</a> - and one of the problems we faced was that we would have liked the registration process to let our users tell us the name / icon (avatar), which was missing in Persona then. Any news on the timeline for these additions to Persona? (OpenID gives those two elements from registration/usage)
I really like the idea of Persona, and it's very easy to integrate with your own site. However, it's still a bit unreliable. For example, clicking on the zonino login button just opened a mostly-blank page for me (white on the left, light grey on the right, with a pointy arrow in the middle; a bar at the bottom says "Mozilla Person...", but no way to log in.<p>If I do "F10 -> View -> Page Style -> No Style" I see various boxes, but it's not obvious how to proceed. I entered my email into the top-most box and tried clicking the "next", "sign in" and "OK" buttons, but none of them responded (there's also "continue", but that's greyed out). I think I had the same problem when I tried it last year.<p>Probably just some browser plugin issue, but would be nice if it were easier to debug... Works in Chromium though.
On of my biggest problems with Persona (and why I stopped using it almost exclusively) is that the popup dialog is badly designed. For instance it has email and password as two consecutive fields which confuses my password manager greatly with different accounts. Secondly does it not work at all for me on mobile devices.
Here is one of the reasons why I personally believe in and feel we really need persona: <a href="https://news.ycombinator.com/item?id=7133965" rel="nofollow">https://news.ycombinator.com/item?id=7133965</a>
The UK government is about to launch an Identity assurance scheme where different providers (Post Office etc) check your drivers license then give you an account hw in is then oauth'able<p>in short Facebook logins but with actual real names that like governments can trust<p>just saying that this might be the start of what usually happens to private companies colonising what turns out to be a public good
Shameless plug: I've made some code examples of how to integrate Persona with your site: <a href="https://github.com/workhere-io/personaexamples" rel="nofollow">https://github.com/workhere-io/personaexamples</a>. The examples are for Python (Flask) and PHP.
This doesn't work with JS disabled, with no indication that it doesn't work as intended (it just bounces the visitor back and forth between 2 pages).<p>Persona is very convenient for users, but it would be more secure to not trust a 3rd party.
> We think that Persona is a great attempt at improving usability, security and privacy...<p>We use Persona and love it. However, I wouldn't trust Persona for securing sensitive information. There seems to be no password requirements (at least when I checked months ago.)