[TomGullen]

I do see the huge potential benefits of the system but have a couple of concerns.

I'm concerned that a 'one password' for everything can be more of a liability if your password is stolen/lost and make phishing potentially more lucrative.

Also concerned about a centralised password store - people make mistakes and if there was some DB leak/hack it could be damaging as it would not be contained within one system (if I've understood how it all works correctly).

[ddlatham]

For most people, their email password already is 'one password' for everything. If someone compromises their email account then they can use the account recovery features of these other websites to reset their password through email.

[dochtman]

That's just the fallback identity provider Mozilla runs. The idea is that your GMail address will authenticate you using whatever GMail uses, so you can use 2-factor authentication.

If you have your own domain/server, you can easily switch out password authentication for something else today if you run your own Identity Provider. Here's my minimal Python IdP implementing TOTP (Google authenticator) authentication:

https://bitbucket.org/djc/persona-totp

[brianjyee]

There has to be at least one password. If you use password managers like Lastpass or Keepass, you're essentially putting all your eggs in one basket, but that is generally safer than what the typical internet user does which is use the same password for everything.

[AndrewDucker]

Persona is decentralised by design (with a centralised stop-gap to get things going). Once other companies implement their own Identity Provider it's all entirely decentralised.

[drivingmenuts]

Doesn't that lead to the problem of having to have multiple identities again?

ATM, I have a FB account that I can use to log in to some sites, a Twitter account, a Google account, a Yahoo account, etc.

With potentially everyone being able to be an Identity Provider, what happens if a site recognizes some providers, but not others? Does Persona ensure that, regardless of Provider, I can use one login on all sites?

Furthermore, how does it protect me from the site gathering and aggregating all kinds of information about me (which, admittedly, they probably already have)? There's usually one overarching, way-behind-the-scenes entity handling the data aggregation for many sites (ie., Facebook) which leads us right back to where we are now.

Or is that part not addressed by this solution?

[TheCoelacanth]

Persona is the protocol that the sites use to communicate with the identity provider. If they support Persona they will support Persona authentication from any email provider that chooses to support Persona and from the fallback provider that Mozilla provides.

[unhammer]

Well, since they get the email address, they can easily check that it ends in @gmail and stop everyone else. Of course, only supporting gmail means they have to write _more code_ than supporting every provider, so lets hope lazyness wins.

[menny]

Persona should add two-factor authentication.

For that matter, any open-ID or similar technology should add that.

[AndrewDucker]

Persona is only handling authentication temporarily.

Once email providers start providing their own Identity Providers then the security falls entirely on them.

For instance, once GMail starts being its own authenticator, my two-factor authentication there will kick in.

[callahad]

Identity Bridging will eventually get 60-80% of users functionally off of our fallback and onto their provider's native authentication paths, but I do wonder if the Persona fallback support two-factor auth natively for the remaining 20-40% of users.

Thoughts?

[TheCoelacanth]

Persona leaves authentication entirely up to the identity provider. In the case of the fallback identify provider that you're probably seeing, they choose passwords. Other identify providers can choose any method of authentication that they want to use.