[shardling]

For most people, they already use an email account to authenticate. Pretty much every single login I have, someone with access to my primary email account could co-opt with the snap of their fingers.

If your email provider is vulnerable, you're already fucked, except for those accounts which use two-factor auth. And persona isn't intended for your bank/etc.

[DannyBee]

But your argument is essentially "we're just as fucked as we are now". Okay, so then, uh, what problem have we solved?

Now we are fucked, after we're just as fucked but not using facebook as the identity provider?

I guess i don't see this as much of an improvement? Honestly, i'm not trying to be snarky. I'm just trying to understand why this seems to be presented as leaps and bounds above what we have now when it seems to be just as bad, just more distributed :)

[shardling]

No, if you choose a shitty email provider you're fucked. But currenty, you're also fucked on a site by site basis if whoever you have an account stores your password in plaintext/etc.

It's an improvement on having dozens of accounts on dozens of sites, both from a security standpoint and a UX one.

[Flimm]

It means users don't have to create and remember a new password for every site they register to, which has security problems.