[JoshTriplett]

So, the biggest draw of the social-network-based logins (as well as their biggest flaw) was that you probably already had an account. With Hoomi, what's the advantage of using your Hoomi account rather than just giving an email address?

Also, how does this compare (in both features and privacy) to Persona?

[depoll]

Hoomi sits somewhere between email/password login and social login. Users still get the benefit of Single Sign-on (that grows as more developers adopt), but don't have to have (or tie their account to) a social profile. You're also welcome to use your phone number to create a Hoomi account.

As far as Persona goes, one of the major differences is the primacy of mobile as a medium for login. And while Persona focuses on using email addresses as identifiers, we go one step further than that, isolating users/apps into their own ID spaces that aren't tied to any particular existing identifier. As a result, a user can change their email address with us without disrupting their service or updating their applications (https://developer.mozilla.org/en-US/Persona/The_implementor_...), and users don't have to divulge this information if it's not necessary, as with apps that just use login for personalization.

We're rapidly building and adding features to Hoomi, and you can expect to see the benefits to users and develoeprs grow as we flesh out users' ability to create profiles for themselves that they can give their apps access to.

[pwnna]

Unlike Persona, Hoomi will be able to know which application the user logs into, and for how long, correct? From what I've seen so far, it seems like the user and/or the application will have to make requests to Hoomi's servers.

Does this mean that Hoomi will become essentially a single point of failure: if Hoomi's servers get compromised, the malicious agent will be able to collect the user's identities and activities? Especially if a lot of apps implement Hoomi, then it may even be possible for the malicious agent to profile the user's entire digital life by tracking them everywhere.

This is what Persona aimed to prevent: it delegates the responsibility of identifying users to a third party and multiple such third parties can exists. Also, as far as I remember from when I used it, it also is designed to ensure that the authenticator have no knowledge of what the user is up to.