[artursapek]

Why are they shitting on social sign-in when this works the exact same way, but with email providers? You still need a pop-up that takes you to several domains and makes you click Yahoo's "Accept" button.

I can see the confidence people might get from the added layer of Persona talking to the external service as opposed to the website that you've never been to before (given the Persona brand builds lots of trust), but the UX is still just as clunky and awkward.

[jordan0day]

The UX isn't perfect, but Persona does have a few advantages that ultimately make it better for the end user:

1) Doesn't require a popup. The idea with Persona is that browser developers would build a Persona/BrowserID-type dialog directly into the browser, as opposed to requiring a popup/webpage. This may help mitigate phishing.

2) Better privacy for the end user. With other, uri callback-based systems, your IdP's know what sites/services you're accessing. With Persona, this becomes a bit more difficult, as there is no callback mechanism.

[ozten]

Directly from the article:

Julius Schorzman of DailyCred, the instant CRM package for any web site, implemented Persona and remarked “We’ve seen from our internal metrics that more than 70% of users still prefer email and password authentication over social log-in like Facebook. Implementing Persona is actually easier than Facebook Connect, or any OAuth implementation we’ve seen.”

People want control over their identity on the web. Social sign-in doesn't meet this need.

[cinquemb]

I'm personally not a big fan of social sign in, and i doubt i'm going to use persona (at this time).

Persona seems like to me kinda like what the chinese are doing with requiring people to use .gov ids on the web. Sure in china it will be by force and here it will be opt in, but in my eyes the result will be the same: making it easier to track people across the web.

I don't feel like persona solves the ability for a person to have control over their identity on the web any more than people do now, maybe just offer the same utility of social logins without trusting 3rd party(?).

Are all persona users data stored in a central location (besides websites that have multiple users sign up through persona?)

[takluyver]

As I understand it, there's nothing to stop you using a separate Persona ID for each site you visit, and none of your IDs has to be tied to your real life identity. But most people already give the same username and same e-mail on loads of different websites, so we're happy to carry on doing that.

For now, most Persona users are stored in a central location by Mozilla. The idea is that e-mail providers take over authenticating users, so eventually there should only be a few users that Mozilla stores credentials for. I'm hoping that GMail will add support soon.

[cinquemb]

Hmm, I can see how this would be better than using facebook connect for the risk adverse (though I must question that if one is using something like facebook connect or google whatever in the first place).

But most web users aren't risk adverse, and I question the utility this will have over facebook connect when using it in some kind of application that the user wants to use that requires some kind of social data in order to get the most out of the app.

[ozten]

Great point. You can log into each website with a different email address.

Someone can build a Persona identity provider to automate Pseudo Anonymity.

[clauretano]

You can run your own persona identity provider on your own domain, then use an email address at that domain to log in. You get to control the authentication, the password policy, decide on multi-factor, etc.

This actually very much can solve the inability people have to control their identity on the web.

[SudoNick]

It appears to me that in order to run your own Persona Identity Provider you must setup and maintain an SSL capable webserver for your email domain, equipped with a certificate that chains up to one in Mozilla's bundle (no self-signed cert), configured to handle the Persona protocol and authenticate you. FWIW, some (including myself) run email-only domains/servers with unnecessary services (httpd!) purposely disabled in order to reduce attack surface and administration chores.

AFAICT, even if you do setup your own Persona Identity Provider you would not have control over Relying Parties (websites you login to) and how they verify identity assertions. IOW, you couldn't prevent Relying Parties from taking the easy way out and issuing backend calls to Mozilla's verification service. Which would leak Email Address, Login Site, and time information to Mozilla. Nothing against Mozilla BTW, it's just a third party in such contexts and thus should not be privy to any information about account creations and/or logins.

I think those who run a strong browser config (limiting third party scripts, third party cookies, and/or cross site requests) would have to weaken their setup to even allow the Persona mechanisms to work correctly.

[cinquemb]

When i think of people controlling their identity, i dont think of just an email address. I think of their name, their gender, what they look like and the context their data is put in on the web.

Persona seems like it has everything to do with the signup/login process, and not the actual identity of the person who already has some kind of data of that kind floating around the internet (the kind people want to sell to others).

There's no way that this gives someone the ability to go back and erase whats already out there now and somehow give them control over where their information resides and how it's used more than it is now.

Maybe i'm missing something, but this doesn't seem to provide any more utility that i need now since i haven't even incorporated any social login to my site anyways (and don't plan on it either).