https://github.com/sergiotapia/ASP.Net-MVC3-Persona-Demo
Please give this a shot! I would only like them to keep more information on hand, like a first name, or an avatar so I don't pester my user with such requests.
1) Your identity provider doesn't know where/when you login because the relying party (the website) is supposed to cache the identity providers public key.
2) When identity providers start implementing browserid, it's not going to make any difference because you're not checking back with the identity providers website, as encoded in the assertion.
What you've implemented here is more like Microsoft Passport - a single point of failure through which all logins flow.
So, as a bootstrap mechanism the Persona service fails, because assuming people jump on the browserid bandwagon, we'll still be stuck using Persona because all the websites have implemented the protocol wrong (as in this case).
---
>So, as a bootstrap mechanism the Persona service fails, because assuming people jump on the browserid bandwagon, we'll still be stuck using Persona because all the websites have implemented the protocol wrong (as in this case).
Please elaborate here. You can just switch out the provider (in my case Mozilla) for another one easy enough. You're not tied down to a particular implementation.
We have a list of libraries/plugins in a ton of other languages on MDN: https://developer.mozilla.org/en-US/docs/Persona/Libraries_a...
Perhaps the marketing of "persona" to consumers should take a backseat. When I signed in to http://123done.org/ the pop up* showing "sign in with persona" confused me for a moment. For a moment, I thought.. "but I do not have a persona account"
If there is a way for users to just sign in with their email without telling them how it is done, I am sure there will be even less friction.
Of course, the persona architecture could still be marketed to developers for integration purposes. But for users, let it just be like magic.
PS: I did not see the Firebase implementation they spoke of. I am still told to make sure my password has 8 characters. https://www.firebase.com/signup/
Think about it this way: suppose you create a persona.org account at site X, then visit site Y which also uses Persona for login. It would look like site Y recognized you, but how? Seems like an incoherent user experience.
Does this help at all?
Firebase offers a login service which includes Persona alongside Facebook, Github, Twitter as login options. They've got a demo here: http://firebase.github.io/firebase-simple-login/
So if for instance, the user enters his email and is using a persona identity provider, e.g Yahoo It could just give a message 'Sweet, why don't you login with Yahoo " or create an account.
If the user has a Persona account already, once the email is put, it could say "Perfect! You are logged in"
If the user is using persona for the first time and does not user an identity provider, it could just bring a persona form.
Of course, for each instance, you could have a tiny "powered by persona" somewhere. With a bit of thinking it can be refined.
I do not see any reason why a user will want to start thinking about what persona is. They will just use an alternative (Facebook). What persona should be aiming for should be to become "login with email" and not another 3-in-one brand called persona.
- I go to this site that I've never been to before
- It asks me to sign in with my email address, but I've never been to the site before so assume it doesn't "know" my email address
- I think look for a "Create Account" button to set up my account
- Now I'm confused as there is not a button anywhere
- I think "Well, I can't just type my email address in because that has never, ever worked on the web"
And so confusion reigns. Without some sort of iconography explaining what email addresses are accepted a la OAuth most users are going to be completely stumped.
A reasonable guess for "Sign in with your email" prompt is that you'd need to go through a typical account creation process using your email as a primary ID. In other words, the message looks like a synonym of "Create an account".
There gotta be more thought put into how to make people aware of Persona mechanism, because it is quite different from all existing sign-in options and it needs to be learned of explicitly.
This means the data you store in Firebase can be associated with a Persona user, and you can structure your security rules to enforce whatever read/write behavior makes sense for your app.
Perhaps this sort of flow is possible, but just requires more work?
Unlike Google in 2005, Mozilla is a non-profit actively working to protect user privacy & build a better web. Also, everything we build is open source :-)
Asm.js is, at best, a very ugly hack. Instead of going in the right direction and eliminating JavaScript in favor of a proper embedded runtime or virtual machine, it's just promoting further use of bad (even if widespread) technologies.
Firefox OS doesn't appear to be anything but a me-too catch-up effort. Nothing suggests it can truly compete with iOS or Android, never mind the numerous other mobile OSes out there that are available on far more devices and actually have at least some users.
Persona is perhaps a good-hearted effort, but it's pretty clear that it isn't catching on. There are already too many other authentication systems out there, and many of them have far more traction.
The community as a whole would likely get much better value if Mozilla focused on the software that many people actually use on a daily basis, like Firefox and Thunderbird, rather than these side projects that don't really offer much at all.
This is news to the Persona team.
I understand the pain of rebranding assets, I do. But if you're going to rebrand to a product your company is already using, it has to be fast. And Mozilla, the 2 year anniversary is in July...
[0]: https://blog.mozilla.org/addons/2013/03/27/getpersonas-com-i...
[1]: https://addons.mozilla.org/en-US/firefox/themes/
[2]: https://blog.mozilla.org/addons/2013/02/28/getpersonas-com-m...
At the very least, they should have chosen a different name.
That, and the whole federated/shared/social login space is confusing! First there was OpenID, but then everyone jumped to OAuth. But wait, OAuth isn't really about authentication?! Throw in xAuth and all of Eran Hammer's rants, and you quickly realize that anything resembling consensus is pretty tenuous, at best.
Persona looks solid, though -- here's hoping browser developers jump on board quickly. I'm concerned that OAuth's delegated authentication mechanism might remain king for a lot of free web apps, though. The ability to require permissions to post (spam) to your users timeline/wall (even if it's not actually needed by your application) is probably pretty tempting for someone trying to work every angle possible to make money from their application. Every angle other than actually charging for their service, that is.
Also, people recognize Facebook and Google as brands they already have accounts with. When a user sees a big blue/red Sign In With Facebook/Google button, that's an easier decision than hand-keying your credentials (especially on a tiny and slow mobile keyboard). Moreover, users trust Facebook and Google to know how to secure their passwords better than randomsiteijustfound.com, so they may believe OAuth is safer than trusting that randomsiteijustfound.com's developer knows how to properly hash a password.
Play Brave[1] is a game from the Born This Way Foundation, which uses Persona.
Mineshafter[2] is a free alternative to using the main Minecraft online services.
The Times[3] (UK) Crossword puzzle uses Persona to make switching between Desktop and Mobile easy.
[1] http://www.playbrave.org/gallery/ [2] http://mineshafter.info [3] http://crossword.thetimes.co.uk/
Because all they've published so far is API specs and fluffy PR sites that try to portray it as "oh so much better" without offering any insight about why it is better. They can claim "more privacy" all day long, but without any details about what gets stored where and why it is supposed to be safer, they don't make a compelling case.
Look at this page for example: https://login.persona.org/about (the "how it works" page) - it has 0 details about these claims and unfortunately, we're already tired of reading how Google and FB respect our privacy. From "outside", it looks like we need to give Mozilla our (existing) credentials and trust them to handle them with care. Why should we? I feel safer making pwgen passwords for every new site I need to register at.
As far as the architecture of the overall thing, there are also http://identity.mozilla.com/post/7899984443/privacy-and-brow... and http://identity.mozilla.com/post/11145921163/browserid-desig... and a technical specification at https://github.com/mozilla/id-specs/blob/prod/browserid/inde... that describes the exact data flow involved.
And if you read those, it should become pretty clear _why_ this is better for privacy than the FB or Google login systems. For one thing, the identity provider is never told that you're logging in.
The good news is Mozilla have managed to implement a bridge that makes it look like one major email provider, Yahoo!, implements it.
Now you need the other two corners. Firefox OS is not mainstream enough, why doesn't Firefox for the desktop implement this natively yet? Isn't the whole of Mozilla behind this initiative? (Also, why haven't they fully retired the old usage of the brand Mozilla Persona yet?)
As for big web sites... we've got some things in the works. But that's where you and others on HN can help. If you like Persona, if you like the vision we have, then help us. Pick one site where you can implement it. Ditch social login, which users hate, and pick Persona instead.
As cliche as it might sound, I think I have to say this: Be the change you want to see in the Web. Help us make Persona, the one login system that respects users, truly successful.
I could even add things like have browsing preference data like "prefers-dark-on-light-theme", "no-video-or-audio-autoplay", or "no-nsfw-content". The site can add functionality for these preferences if it chooses to. Does Persona already have this?
We'd love to see more experiments in this space. Get involved https://github.com/mozilla/browserid
For the Node.js developers in the crowd, I'm happy to see Mozilla is using Passport.js (http://passportjs.org/) (which I'm the developer of) to power the OpenID/OAuth dances when doing identity bridging. You can see it in action at the BigTent repo: https://github.com/mozilla/browserid-bigtent
Passport.js can be used in your own applications to easily perform the server-side part of Persona/BrowserID as well as integrate with or transition from an existing login system.
Many of articles say that Persona is great and awesome etc. but do not explain what are the advantages and security implications.
If that's not geeky enough, you can read the spec for the browserid protocol: https://github.com/mozilla/id-specs
Comparison to OpenID is covered in the FAQ page: https://developer.mozilla.org/en-US/docs/Persona/FAQ#How_doe...
We've got a list of recent talks, too, in case you'd rather flip through slides or watch a video: https://wiki.mozilla.org/Identity/Spread_Persona
Comparison to OpenID: http://identity.mozilla.com/post/7669886219/how-browserid-di...
Persona is a login system that cares about your privacy. With social login systems, the website you are logging into contacts the social login provider (Facebook/Google+/Twitter/what-have-you) when you attempt to log in. So you end up leaving a trail of breadcrumbs behind you of every site you visited (and used a social login on). Further, many people are not comfortable giving sites access to their social accounts because of privacy concerns.
With Persona, the idea is that your identity provider (can be your email provider, persona.org , or someone else) will have a key publicly available on their site. Your browser would generate a certificate that can be verified against that key. However, since the same key from the provider is used to authenticate all accounts on that provider, all the provider finds out when a website contacts it for the key is that someone is trying to log into said website. Plus, the website could cache the certificate and now the provider does not know this either.
There is more to this so you're probably better off reading one of the other links.
Logging in with, say, Twitter account is less secure in aspect Twitter knows what sites you log in, but more secure in aspect the sites can't spam you unless you allow them to do so.
I'm concerned that a 'one password' for everything can be more of a liability if your password is stolen/lost and make phishing potentially more lucrative.
Also concerned about a centralised password store - people make mistakes and if there was some DB leak/hack it could be damaging as it would not be contained within one system (if I've understood how it all works correctly).
If you have your own domain/server, you can easily switch out password authentication for something else today if you run your own Identity Provider. Here's my minimal Python IdP implementing TOTP (Google authenticator) authentication:
ATM, I have a FB account that I can use to log in to some sites, a Twitter account, a Google account, a Yahoo account, etc.
With potentially everyone being able to be an Identity Provider, what happens if a site recognizes some providers, but not others? Does Persona ensure that, regardless of Provider, I can use one login on all sites?
Furthermore, how does it protect me from the site gathering and aggregating all kinds of information about me (which, admittedly, they probably already have)? There's usually one overarching, way-behind-the-scenes entity handling the data aggregation for many sites (ie., Facebook) which leads us right back to where we are now.
Or is that part not addressed by this solution?
For that matter, any open-ID or similar technology should add that.
Once email providers start providing their own Identity Providers then the security falls entirely on them.
For instance, once GMail starts being its own authenticator, my two-factor authentication there will kick in.
http://identity.mozilla.com/post/7669886219/how-browserid-di...
There are a bunch of angles to answer this from.
Short answer (assuming native browser, native webmail provider): The malicious website would have to fake browser chrome and fake the user's webmail login flow.
Long answers: Search through the mailing list and get involved! https://groups.google.com/forum/?fromgroups#!forum/mozilla.d...
Second, I wanted to play a crossword puzzle. I click login and am greeted with a popup window, I put in my email, then it asks for a password (ok whatever). So now I have to go to my email, and it says that I click the link and can go play the puzzle, but then it takes me to some persona account manager thing. I go back to my email, click the link again, this time with an error an no puzzle :(
Whats new here? That you guys plan is to just store logins for people? Do you share my email with the webapp I wanted to use? Seriously, whats new here?
PS. Good work, it looks quite convincing!
via https://developer.mozilla.org/en-US/docs/persona/branding
If they recognise it, then they'll know. If they don't, then they don't need to.
1. http://sloblog.io/login has a nice, explanatory landing page.
2. https://www.voo.st/ has a small string of explanatory text at the point where a user chooses between Facebook or Persona auth.
3. http://crossword.thetimes.co.uk/ has a simple, unbranded "log in" button that just opens the popup.
I tried to use my gmail address and it gave me this: http://dl.dropbox.com/u/13941904/persona.png Am I just making up a password for a Persona account and it's using my email address as the user id? I can see how some people would type in their gmail password in by mistake.
The first time around, I knew I was making up a new password, just not where it would be stored.
Then much later I used a different computer (but firefox sync'ed) and tried logging in to Persona, got asked for a password, and thought "oh, so now I make up a new one because it's a new browser and this is BrowserID? Where is this password stored anyway?"
I'm guessing that password is stored on persona.org, not in my sync profile, but even after reading http://lloyd.io/how-browserid-works I still find this one point confusing.
EDIT: I now see that the creation bit has a "verify" field whereas the sign-in bit has only one field, I guess that should have been my hint to use the same password as before. I'm still wondering though how it works when you have several email accounts on one browser, do they all share the same password? Does persona.org know that I have all those email addresses?
Yes, gmail isn't a Persona identity provider, so we have to create an account for you.
Try logging in with a yahoo email account. You will not have to create a "Persona account" password.
The moment Google implements Persona support, we'll stop asking you for this password and delegate to Google's web log in flow.
I can see how this could be a big problem once one ID provider decides he'd be interested in grabbing and abusing such credentials. The natural password related to the e-mail address for most people is that of the e-mail provieder.
The experience was bad. I signed in with Persona on Orion to be greeted with "There is no Orion account associated with your Persona email. Please register or contact your system administrator for assistance." Isn't the whole point that I don't need to register?
I clicked the register button to see what more it would require and they wanted a user name, password, and email. With such a poor integration the whole idea of not having to remember another, username and password is lost isn't it? Obviously this particular failure is the fault of the integrating site and not Persona which seems really cool.
Screen shot after logging in with Persona; then after clicking register: http://imgur.com/a/WCKnh
I'll reach out to the folks over there and see if that can get that fixed in their next release.
EDIT: Here is a link to the progress on this issue, it was moved to the next beta https://github.com/mozilla/browserid/issues/2034
Wait. So, my email provider (Yahoo) can now keep track of every website I login to, if he wants? How can I stop Yahoo being the middleman?
Second question, if an attacker knows my Yahoo password, can he potentially login to _all_ Persona-powered websites with my email then?
Nope.
Architectures like OpenID "phone home" and report your movement across the web.
Persona was explicitly designed to be privacy preserving.
> Second question, if an attacker knows my Yahoo password, can he potentially login to _all_ Persona-powered websites with my email then?
Yes, if an attacker has your yahoo email address and password, they can log in as you. BUT, you can take advantage of two factor auth from Yahoo as well as other security features they provide, to keep yourself safe.
However, if you use the "login with Yahoo" button (or Google or Facebook), then yes, they can track all of your activity.
To your second point: great question! No, the attacker cannot. We still protect your other email addresses with a Persona password.
But Yahoo still knows that I'm on that website.
It's also one that isn't very easy to solve, regardless of how you slice it. Most sites that let you create your own username still require an email address. If you're using the same email address, we're back to square one here. Persona absolutely does not increase your trackability, and by giving users at least the option to use multiple, different email addresses, it's better for privacy than, say, Facebook Connect. That's a win in my book.
It's got curl and streams examples so it should cover 95% of the PHP installs out there. Its crazy how easy it is to drop in and implement...Mozilla's done a great job with it so far. I look forward to more integration of it in the future.
2. It's decentralized: any email provider can provide Persona authentication for the email addresses that it handles. You don't have to rely on Mozilla to do this except as a fallback for email providers who don't support Persona.
Will this great feature of email (SMTP?) be available to me with Persona? I mean email address synonyms.
Off-topic, but wow. Blast from the past. Tucows is still around, and now has a mobile phone service! That was my go-to place for shareware games when I was a youngin'.
IIRC Firefox had a plan for BrowserID something along these lines.
I can see the confidence people might get from the added layer of Persona talking to the external service as opposed to the website that you've never been to before (given the Persona brand builds lots of trust), but the UX is still just as clunky and awkward.
1) Doesn't require a popup. The idea with Persona is that browser developers would build a Persona/BrowserID-type dialog directly into the browser, as opposed to requiring a popup/webpage. This may help mitigate phishing.
2) Better privacy for the end user. With other, uri callback-based systems, your IdP's know what sites/services you're accessing. With Persona, this becomes a bit more difficult, as there is no callback mechanism.
Julius Schorzman of DailyCred, the instant CRM package for any web site, implemented Persona and remarked “We’ve seen from our internal metrics that more than 70% of users still prefer email and password authentication over social log-in like Facebook. Implementing Persona is actually easier than Facebook Connect, or any OAuth implementation we’ve seen.”
People want control over their identity on the web. Social sign-in doesn't meet this need.
Persona seems like to me kinda like what the chinese are doing with requiring people to use .gov ids on the web. Sure in china it will be by force and here it will be opt in, but in my eyes the result will be the same: making it easier to track people across the web.
I don't feel like persona solves the ability for a person to have control over their identity on the web any more than people do now, maybe just offer the same utility of social logins without trusting 3rd party(?).
Are all persona users data stored in a central location (besides websites that have multiple users sign up through persona?)
