Mozilla Hacks

Persona Beta 2 launch

By Robert Nyman [Editor emeritus]

Posted on April 9, 2013 in Persona

Mozilla Persona is an open authentication system that lets you implement sign-in on your site in an afternoon. Today, Persona Beta 2 was released, including a feature called "Identity Bridging" that lets hundreds of millions of users sign into sites supporting Persona with no new username and no new password. The announcement video gives you a good overview of the Beta 2 release:

What's New

In addition to "Identity Bridging", a couple important new features have landed, and we've started to see significant adoption of the service. Details about these features and new websites using Persona are provided in the announcement on the Mozilla Identity Blog.

Persona, The Full Story

Beyond the code and features, we've really made an effort to tell the full story behind Persona to help people understand how it works, and why we believe it's an important improvement to how people log into websites. You can read an interview with lead developer Lloyd to get a feel for some of Mozilla's motivations and goals for Persona.

Identity on the web is complex, and the full story can't be captured in a single conversation. To address this, leading up to this beta, we've published several articles on the identity blog which compare Persona to social sign-in, give an overview of Persona on FirefoxOS, and dig into why the distributed nature of Persona matters.

Beyond the philosophy, we've detailed the technology behind Persona. This has resulted in several articles that present tools and learnings we hope are relevant to anyone building massive scale services with Node.JS.

How Identity Bridging Works

Identity Bridging is the most important feature of today's release, so let's take a minute to get beyond the emphatic language of a press release and down to how it actually works.

The motivating idea is that checking your email and clicking a link during the sign-in process is jarring and can cause a drop in the number of people who sign up. A significant portion of our UX refinements have been targeted at this problem. So, what can you do to eliminate this step completely?

Most popular webmail providers nowadays offer either OpenID or OAuth as a means for other websites to build authentication using the provider's existing user base (and hence, let people log in faster). On the Persona side we have support for any domain to become a Persona enabled identity provider and allow address verification without sending email.

So we built a bridge – a server that speaks the Persona IdP protocol on one side and OpenID or OAuth on the other – to use these existing services. The project's codename is "BigTent", and, as with everything we do, the codebase is open source.

To start, we've enabled this bridge for anyone with a yahoo.com email address. In the coming months, we'll turn on support for other major email providers. We expect to cover over half of the worldwide internet population.

Identity bridging is a huge win. It's significantly more convenient for users by eliminating the need to verify emails. Developers get the convenience of social sign-in just by supporting Persona. And finally, it's better for user privacy: Identity Bridging keeps the sites a user visits out of the purview of their identity provider. This is one of those rare and wonderful cases where we can improve both usability and security at the same time!

Try Persona Today!

Implementing Persona on your site should take about an afternoon. To do so, you:

  1. Include a javascript library in your page
  2. Add javascript code to handle login events
  3. Invoke navigator.id.request() when a user clicks your login button
  4. Implement a server-side handler to verify users and start their session

Each of these steps is described in more detail in our quick setup guide, and if for whatever reason things go awry, we're here to help!

What's Next?

We have a couple clear new features planned, but mostly our roadmap is going to determined by the people who use Persona. If you haven't tried Persona on your website yet, spend an afternoon and give it a whirl. Let us know what you think on our public mailing list, and help us get rid of the password.

About Robert Nyman [Editor emeritus]

Technical Evangelist & Editor of Mozilla Hacks. Gives talks & blogs about HTML5, JavaScript & the Open Web. Robert is a strong believer in HTML5 and the Open Web and has been working since 1999 with Front End development for the web - in Sweden and in New York City. He regularly also blogs at http://robertnyman.com and loves to travel and meet people.

More articles by Robert Nyman [Editor emeritus]…

26 comments

  1. Josh Tumath

    There are two problems with Persona, at the moment, for people that use multiple email addresses. One is that I can’t sign-in with one email address but use another email address in the service (e.g. signing into Bugzilla with my main @outlook.com address but having my my bugmail email being something else). Also, there’s no obvious way to change the email address for my account.

    April 9th, 2013 at 09:32

  2. Lloyd Hilaiel

    Yo Josh!

    As far as “I can’t sign-in with one email address but use another email address” – the idea right now is you always type the email you want to use for the site, and your persona password (or email provider password if you’re use yahoo or a different email provider that integrates with persona).

    We could explore adding another step to the login process to confirm that you want to use the email you typed if you have another email, and say, that’s the email you used on this site last time.

    As far as “changing the email address for your account” – If I understand correctly, you’re talking about changing it on a website. This is up to the individual website to implement for now.

    Thanks for dropping by!
    lloyd

    April 9th, 2013 at 10:35

  3. CleanCode Police

    You should have embedded video via https link. New feature which landed in nightly FX 23 (https://bugzilla.mozilla.org/show_bug.cgi?id=834836) prevents loading non-secure content within secured sites.

    April 9th, 2013 at 10:49

    1. Robert Nyman [Editor]

      Good point. :-)
      Changed it.

      April 9th, 2013 at 10:53

  4. penang

    I’m commenting from a user’s perspective

    After reading the information from this page, as well as those from several related sites, I am still in the dark as how to sign up to Persona

    Will there be a center-base for this service ?

    Who is keeping tab of what’s going on, and what kind of information is/are being kept in the central database(s) ?

    April 9th, 2013 at 18:40

    1. Lloyd Hilaiel

      From a user perspective, sites must adopt Persona before it can be used to sign in. You can try any one of the sites listed on the main identity blog post to get a feel for it and use it today.

      As far as “central databases”, Mozilla is bootstrapping persona and responsible for maintaining these central databases. The effort is open source, as transparent as we can make it, and we are personally responsible for working this way so anyone interested can keep tabs on us – and challenge us when we’re not doing the absolute best we can with respect to user privacy while still building an awesome sign-in experience.

      Concretely, you can look at the privacy policy, or view the database schema of the service and understand exactly what’s persisted.

      April 10th, 2013 at 06:50

  5. Matthew Piggott

    To me the biggest selling point of a browser integrated sign-on system would be reducing spoofability, however from the video it would appear that the sign-on is simply opened in a new window which would have the same issues as any other system.

    April 9th, 2013 at 19:08

    1. Lloyd Hilaiel

      We started with an HTML5 based “boostrap” implementation of persona so that it will be usable today. What you are reacting to is that. This year we hope to launch native Firefox support, and we’ve already landed support in FirefoxOS.

      This native integration will get us the reduced spoofability you seek (as well as many other usability, privacy, security, and performance benefits), and we are eager to work with other browser vendors.

      April 10th, 2013 at 06:52

      1. thinsoldier

        Will firefox have a feature similar to Google Chrome’s “sign into chrome”?

        Firefox sync has been a miserable user experience for me.

        https://bugzilla.mozilla.org/show_bug.cgi?id=788032

        April 12th, 2013 at 21:27

        1. Caspy7

          Lloyd can answer this as well, but…
          There is currently a project to bring the Sign into Chrome functionality to Firefox. Its usability should be on par with Chrome’s as well.

          April 14th, 2013 at 23:54

        2. Lloyd Hilaiel

          What Capsy7 said! We’re going to evolve sync, and solve some of the biggest user complaints – it’s too hard to set up, and it doesn’t back up your stuff. This project is codenamed “profile in the clould”, or “PiCL” (pronounced ‘pickle’). You can read all about the effort and check out some recent demos that show our current state of development here:

          https://wiki.mozilla.org/Identity/AttachedServices#Demos

          April 15th, 2013 at 08:11

  6. DB

    This is the first time I’ve seen Persona explained in terms of user-benefits (skip the sign-in verification email for each new site) rather than developer benefits or vague promises of privacy without specifying what the privacy benefits are, and I have yet to read a full (and honest) explanation of common questions regarding Persona and privacy. All descriptions of Persona leave it as an exercise to the reader to try and guess possible disadvantages. Since it is not clear to me which of the possible disadvantages are valid, I have avoided using it altogether. Here are my questions that come to mind every time I read about it

    1. According to https://login.persona.org/about Persona lets people use the same password to log in to every site. Does this increase the chances of users accidentally giving away their important email password to any site that asks for it (by filling out the wrong form)?

    2. How does this weigh (in terms of security and privacy) against a sophisticated user who really does use a different password on every site (and then lets Firefox remember it for them).

    3. If I understand correctly, Persona is a server-based solution to logging in (rather than a local-based solution to logging in with a password manager). I know that the about page for Persona promises not to track every site I log into, but please specify exactly what information is received by the server (and what information is remains private between the destination website and the user’s local machine). In other words if law enforcement asks Mozilla.org to track websites that a user has signed into, what information is Mozilla.org able to provide to law enforcement?

    4. How does Persona handle the use-case of wanting to log in to a site that I have absolutely no trust in (and would prefer to give only a single-use, throwaway email, or a fake email). At least from a user-perspective, the only reason to give out a real email address is if you legitimately want to receive emails from that website.

    April 9th, 2013 at 21:46

    1. Lloyd Hilaiel

      These are fantastic questions, let me attempt a response.

      1. Phishing is a real problem. The trend we’re seeing today is one where users use the same password on multiple sites in large numbers – so they give away their important passwords freely without there being malicious intent. So are we getting users *used* to typing their deepest secrets and increasing the likelyhood of phishing? I’m not convinced. But with widespread adoption I hope we do reduce the number of organizations that have a password that grants them access to multiple sites a user frequents, and that I’m convinced is a great improvement.

      2. At a high level, I believe we don’t reduce the level of security and privacy afforded by the small percentage of people with great password habits. The goals is to bring that level of saftey to the rest of us by understanding large user habits and building a system that works for these folks without asking them to significantly change their behavior.

      3. I need more time to provide you good honest specifics. But for now I can give you our privacy policy http://www.mozilla.org/en-US/persona/privacy-policy/ and database schema https://github.com/mozilla/browserid/blob/dev/lib/db/mysql.js#L10-L30

      I can say, every time we store more data on our servers, we make the rationale transparent on our public list and are reviewed by our privacy team. I’ll see about distilling down our actual practices of today and a more satisfying answer to your questions.

      4. We want this! Users in large numbers have “junk email addresses” we’ve found in user reasearch. Wouldn’t it be fantastic if there were an email provider who stepped up and issued site-specific pseudonymous email addresses for every site you visit? That might require small changes to the protocols upon which persona is built, but it’s something that we’re eager to encourage and support.

      While users today can provide any email they want to log in via persona, I’m eager to see an email provider step up who gives this level of privacy to users without manual steps.

      April 10th, 2013 at 07:10

  7. Mark

    Great initiative, I hope many sites will start supporting this.

    Two questions:

    1. What problem does Persona solve, that is not solved by OpenId?
    2. why is the new Persona IdP protocol used, instead of using oAuth?

    April 10th, 2013 at 03:51

    1. Dan Callahan

      Hi Mark,

      We simply weren’t able to create the kind of user experience, developer experience, or privacy model that we wanted from within the confines of OpenID. For instance, at a fundamental level, OpenID requires phoning home with every login. By making the browser an active participant in the protocol, Persona adds a layer of indirection that prevents information from leaking back about where the user chooses to log in.

      OAuth focuses on authorization, while Persona is currently very narrowly scoped to authentication. Shoehorning OAuth’s tokens and access keys into that role didn’t feel particularly sustainable or approachable.

      April 10th, 2013 at 09:52

  8. tony

    This is good, but an ever better idea is a secure and decentralized means of global authentication. Sounds complicated, but it’s already been built by Mike Macgirvin, the creater of Friendica, and it’s called Zot.
    This gives the user even greater control of their own privacy and data.

    April 10th, 2013 at 07:32

    1. Caspy7

      As Simon (and Anonymous) noted below, Persona is decentralized.

      April 11th, 2013 at 08:17

  9. Simon B

    @tony, Persona _is_ decentralized. The Mozilla-run
    provider is one of many for what I know.

    @Mark, 1&2 is I think primarily that simpler user interaction was needed, seeing that a tiny percentage of sites accept openId / auth.

    April 10th, 2013 at 13:25

  10. Sokratis

    If I sign in from one pc to one site,then a user can sign in to the same site/or every site from another pc just using my email address?

    April 11th, 2013 at 02:53

    1. Lloyd Hilaiel

      No, in order to log in with your email address you must be logged in on the current pc.

      So if you use a “yahoo.com” email address, you have to be logged into yahoo. If you use any other email address you must provide your persona password, which will then log you into the website.

      April 12th, 2013 at 10:42

  11. robyz

    Shouldn’t be possible a solution that is more local to the computer, or, to strenghten security, a mostly local (with a bit o centralized add-on) solution?
    I mean, I would fell pretty more confortable in knowing that none but me has my aggregated login data..

    April 11th, 2013 at 03:21

    1. Lloyd Hilaiel

      You’re describing persona! Persona is mostly local, with a minimal amount of centralization.

      Basically you login using cryptographic keys, and those keys are generated on your computer, the “secret key” never leaves your computer.

      Further the sites that you visit and the emails you use on them are stored completely on your computer, they never leave.

      Finally, as we build persona into browsers natively, things are going to get even better in terms of de-centralization.

      The only thing that persona really has to remember is whether you’ve proven that you own emails – and this need goes away as email providers support persona. The architecture is really cool, and you learn all about it here: http://lloyd.io/how-browserid-works

      April 12th, 2013 at 10:48

  12. Anonymous

    Trying to answer some questions based on limited understanding:

    @Mark, 1. The OpenId server (gmail, yahoo, facebook…) does now know about all the other services you use. It *will* be integrated into the browser, thus less spoofability, similarly to a native password manager.
    2. You mean OAuth between the browser and the server? I’m guessing that OAuth requires server ports on the browser side in that case. Using OAuth between some other entity is a privacy issue.

    @tony, I thought Persona was decentralized. Mozilla is only bootstrapping it.
    Zot, is that Zot-id? http://friendica.com/node/15 It is documented as using OpenId which is like a tracker.

    Now here is my question:
    Can I spoof my email address for a given web site? Most web sites have zero use of my email address (like the comment form on this web page) and just need to know that I am the same user that logged in at some previous point in time.

    April 11th, 2013 at 04:06

    1. Lloyd Hilaiel

      “Can I spoof my email address for a given web site?”

      See #4 in my response to DB above. We hope to see streamlined per-site pseudononymous email addresses as a core feature of persona, provided by email providers.

      The first email provider or community member that steps up to build this is going to get full support of the team to make the small protocol changes required to make it work well :)

      lloyd

      April 15th, 2013 at 08:22

  13. François

    If someone has the time to answer me… I really don’t understand how persona is decentralized. In the quick setup guide ( https://developer.mozilla.org/en-US/docs/Persona/Quick_Setup ) where you explain how to integrate persona to a website, it is clearly written:
    “https://login.persona.org/include.js”,
    and in this file I found:
    var ipServer = “https://login.persona.org”;

    So it seems that everything use the server from persona.org, and the user has no way to specify a server at login time.

    I am not an expert at all, but wouldn’t it have been better, when the user enter a mail adress in the form user@domain, to check in the DNS system if the domain “domain” has a specific SRV record specifying a persona server, and then use this server to perform the authentication ? This would have been a decentralized architecture…

    April 11th, 2013 at 08:48

    1. Lloyd Hilaiel

      Hey François,

      So the question is how can you claim persona is decentralized when it doesn’t look like it actually is?

      For the frontend code (the authentication dialog and cryptographic stuff), the idea is that browser vendors will implement the UI and javascript routines under navigator.id. Once this happens, the javascript shim (include.js) will simply not inject functions, and the browser will take over.

      There is no way to specify a server at login time, because there will be no server that’s required – it will be mostly client side. The thought is each browser vendor might have a “fallback” IdP to allow verification of email addresses without persona support (or maybe we’ll share infrastructure for this, don’t know yet how things will play out).

      Websites will then run their own verifiers. We’ve provided the centralized verifier as a convenience to make it easier to get started – but as fantastic verification libraries arise, websites will just be able to include the library and go.

      I hope this is a satisfying answer. With respect to using DNS for discovery of support, we’re tracking that feature here: https://github.com/mozilla/browserid/issues/1523

      April 15th, 2013 at 08:19

Comments are closed for this article.