Persona assumes something trivially false for most end users: that email addresses are canonical and precious; in fact, email addresses tend to be recycled (by schools and ISPs), users have many of them (causing them to never remember which one hey are using, a problem compounded y the usage of clients that aggregate their email together), and they are extremely temporary (users throw them away and get new ones when they start getting too much spam, and are even forced to do so when they change jobs, graduate from school, move to a new area, or simply change email providers, as even savvy users tend to rely on third-party domains, including gmail.com).
This makes persona both frustrating for the user (having to do account migrations at the least convenient time on every website they use, always using the least convenient flow as by the time they notice they have already lost access to their old email address) and insecure for everyone involved (the situation where user's account is compromised when their email address is recycled is bad for everyone). In comparison, users tend to have one account on Facebook, and that account is theirs and theirs alone essentially forever.
Facebook has amazingly well-engineered mechanisms to do account password recovery (my favorite is the one that shows you uncommon pictures of your friends--old shots, people in Halloween costumes, etc.--and asks you to identify them), the account has a username independent of email addresses (to the limited extent to which email addresses matter, if the user changes addresses Facebook will be the first thing they think of to update before they go through with the process, and even if they don't they will catch it immediately as most normal users use Facebook often), and Facebook provides a central location to store a bunch of common profile information (in particular a picture) that the user will actually keep up to date (which is pleasant for both the user and the website). Using Facebook as a login provider actually solves problems for both users and website operators in a reasonably secure manner.
Users on websites like Hacker News, developers, the kinds of people who build websites, sadly don't notice these problems, as they are the kind of people who value email addresses and understand the issues related to security if addresses are reused: this is fundamentally unlike a normal user or sadly even a normal system administrator. I have been saurik@saurik.com since 1997 and will be until the day email is dead: I was really argumentative any time my University asked me to use saurik@cs.ucsb.edu (an address they later cancelled on me and recycled :/) and so avoided third-party addresses, and noticed the canonicalization problem after only a year of saurik@poboxes.com (a service that happened to also help users get "vanity" email addresses, as users care more about cool addresses on domains like starfleet.com than ones that won't change). I am not typical: Persona, sadly, is designed for users like me at the exclusion of normal people :(.
For more details about these issues, I will refer you to earlier discussions of Persona and social login mechanisms, where I provided much longer comments, examples, walkthroughs, etc.
I think the counterarguments on Persona are really valuable.
On Facebook, I have 2 major concerns.
1. It's not guaranteed that a user has a Facebook account. I don't mean in general, but similarly as people change their email address when it's full of spam, people shut down Facebook in response to events in their life, like a breakup, to maybe recreate a new one later.
2. I'm absolutely not convinced about the fact that people update their email on Facebook. In our experience with Facebook login, in fact, the email (even when certified by Facebook) is never reliable and it's usually that very old email you had when you signed up to Facebook ages ago. IMHO this is because Facebook is so complete in terms of communication, that you don't actually need an email address for using it.
> Persona assumes something trivially false for most end users
No. No no no no no. No.
This is not "trivially false". Maybe if you said "Persona assumes something which is false for some end users" then you would have a point.
What persona does is being practical. You are identified by an email address which is already the way most people are identified on the web (immediate integration with existing services and no introduction of a new concept such as an "URI identity" a la openid).
Your email address can still be updated as long as you own it and the web app allows it, as you would expect. But using a username instead of an email address would be worse. How many times have I changed my username? I love my current one but it is short and not always available: I sometimes have to use an alternative one. Not to mention the times people outright steal my username; something they cannot do with an email address for obvious reasons.
Please. Persona does have flaws, so don't waste time burning it on a non-issue.
I like reddits system. Pick a user and pass. All other fields are optional, and you can fill them out later if you wish or as needed.
Imo if your website doesn't use that system its because you're more interested in collecting and selling my private information than you are providing me with whatever service you want me to sign up for.
10 comments
[ 3.2 ms ] story [ 33.4 ms ] threadOAuth as an authentication method is stupid. Use Persona (https://www.mozilla.org/en-US/persona/). Third party auth done right.
This makes persona both frustrating for the user (having to do account migrations at the least convenient time on every website they use, always using the least convenient flow as by the time they notice they have already lost access to their old email address) and insecure for everyone involved (the situation where user's account is compromised when their email address is recycled is bad for everyone). In comparison, users tend to have one account on Facebook, and that account is theirs and theirs alone essentially forever.
Facebook has amazingly well-engineered mechanisms to do account password recovery (my favorite is the one that shows you uncommon pictures of your friends--old shots, people in Halloween costumes, etc.--and asks you to identify them), the account has a username independent of email addresses (to the limited extent to which email addresses matter, if the user changes addresses Facebook will be the first thing they think of to update before they go through with the process, and even if they don't they will catch it immediately as most normal users use Facebook often), and Facebook provides a central location to store a bunch of common profile information (in particular a picture) that the user will actually keep up to date (which is pleasant for both the user and the website). Using Facebook as a login provider actually solves problems for both users and website operators in a reasonably secure manner.
Users on websites like Hacker News, developers, the kinds of people who build websites, sadly don't notice these problems, as they are the kind of people who value email addresses and understand the issues related to security if addresses are reused: this is fundamentally unlike a normal user or sadly even a normal system administrator. I have been saurik@saurik.com since 1997 and will be until the day email is dead: I was really argumentative any time my University asked me to use saurik@cs.ucsb.edu (an address they later cancelled on me and recycled :/) and so avoided third-party addresses, and noticed the canonicalization problem after only a year of saurik@poboxes.com (a service that happened to also help users get "vanity" email addresses, as users care more about cool addresses on domains like starfleet.com than ones that won't change). I am not typical: Persona, sadly, is designed for users like me at the exclusion of normal people :(.
For more details about these issues, I will refer you to earlier discussions of Persona and social login mechanisms, where I provided much longer comments, examples, walkthroughs, etc.
https://news.ycombinator.com/item?id=7243021
https://news.ycombinator.com/item?id=5408735
On Facebook, I have 2 major concerns.
1. It's not guaranteed that a user has a Facebook account. I don't mean in general, but similarly as people change their email address when it's full of spam, people shut down Facebook in response to events in their life, like a breakup, to maybe recreate a new one later.
2. I'm absolutely not convinced about the fact that people update their email on Facebook. In our experience with Facebook login, in fact, the email (even when certified by Facebook) is never reliable and it's usually that very old email you had when you signed up to Facebook ages ago. IMHO this is because Facebook is so complete in terms of communication, that you don't actually need an email address for using it.
No. No no no no no. No.
This is not "trivially false". Maybe if you said "Persona assumes something which is false for some end users" then you would have a point.
What persona does is being practical. You are identified by an email address which is already the way most people are identified on the web (immediate integration with existing services and no introduction of a new concept such as an "URI identity" a la openid).
Your email address can still be updated as long as you own it and the web app allows it, as you would expect. But using a username instead of an email address would be worse. How many times have I changed my username? I love my current one but it is short and not always available: I sometimes have to use an alternative one. Not to mention the times people outright steal my username; something they cannot do with an email address for obvious reasons.
Please. Persona does have flaws, so don't waste time burning it on a non-issue.
Imo if your website doesn't use that system its because you're more interested in collecting and selling my private information than you are providing me with whatever service you want me to sign up for.