Ask HN: Mozilla Persona Post-Mortem

79 points by pc2g4d ↗ HN
As far as I can tell, the demise of Mozilla Persona has left a vacuum in terms of user-controlled identity solutions. Why did Persona fail? What else is happening in this area? What's coming up on the horizon?

14 comments

[ 4.3 ms ] story [ 23.1 ms ] thread
The main purpose of Persona was cross-site login, and it seems like there's a million options for that: Google, Facebook, Twitter, Reddit, Steam, etc etc etc. Broadly speaking, you can support a lot of these platforms all at once with OpenID (don't know too much about OpenID though; not sure how prevalent support is).

I think Persona failed because it simply wasn't the easiest option for the end-user. When given the choice to create an account on Persona, or sign in with the social media account they already have, most people will follow the principle of least effort and use their existing social account.

The original Persona proposal had the concept of browser-based identity. Your browser would provide secure authentication, and then Firefox Sync would let you bring the authentication credentials with you to other systems. You'd just click "sign in" on a site (or in the browser UI) and your browser would sign you in, with no other interaction required.

However, outside of a prototype addon, that approach never materialized. And without that, Persona didn't have a compelling use case except for people who didn't want to trust signing in via Facebook or Google or Twitter.

We're finally starting to see standards proposals that address this, and allow signing in via cryptographic authentication built into your browser. I hope to see those make OAuth obsolete for any use case other than API access to an account (e.g. "allow this site to integrate with Github").

> We're finally starting to see standards proposals that address this, and allow signing in via cryptographic

could you point us at these - would've very interested as thelack of PKI in the world does bother me

https://www.w3.org/TR/webauthn/

Disclaimer: I have not reviewed this spec in detail yet, and my confidence in the W3C is not high.

Firefox 60 will ship the WebAuthn API. Here's a Mozilla blog post with examples of how to use WebAuthn and FIDO U2F devices:

https://hacks.mozilla.org/2018/01/using-hardware-token-based...

Will it work with a key stored in the "software security device", rather than a hardware token?

For that matter, the description shown on that page suggests that it supports using the key on the hardware token as the only authentication factor. That seems dangerous. Unlike a key stored on an encrypted disk, a U2F key typically works for anyone who steals it. Firefox needs to use that key together with another key stored in the browser, or otherwise ensure that someone who steals the U2F key does not gain access to every account secured with WebAuthn.

Also, Persona was interesting for being one of the few actually user-friendly and usable deployments of public-key cryptography ever to exist.
Wonder if we'll see password managers starting to support this, in some kind of agreed-upon standard.
Portier (formerly Let's Auth) was set up by a bunch of people interested in decentralised identity solutions after Persona was killed, as a sort of spiritual successor: https://portier.github.io/
Worth noting that Portier is sponsored in part by Mozilla. IIRC some of the people originally responsible for Persona are also involved with Portier.
I recently implemented Portier in a porject. I haven't come across a nicer login system. It's dead simple and a joy to use. I hope it'll become more popular!