May 27, 2013

About Mozilla Persona

Or why " Mozilla Persona do not solve OpenId Problems"
By chance I'm working on authentication stuff these days. A SCrypt Hasher for django and some Spring Security SSO integrations.
I'm also watching pycon videos and I came across "Beyond Passwords: Secure Authentication with Mozilla Persona" by Dan Callahan.
The presentation is actually very good but to me, an SSO and OpenId enthusiast, clearly reflects missing points of the Persona initiative.

  1. Persona has better UX than OpenId (process is simpler and clearer )
  2. Easy to implement 

  1. Using email as credential is a BAD BAD idea: What if I subscribe a service  ( let's say "Mozilla developer center" )  with my professional email and I got suddenly fired by my employer upon unfair conversation at PyCon. I lost control on my profile on that site. OpenId has an elegant solution for that. The meta-tags.
  2. It still lacks of personal data exchange: Dan Callahan says that they are working on that, waiting for developer feedback... and shows how, upon first time usage on a site you have "just to fill your name, surname , gender... super boring. This is why the whole "social signin" came out. The problem here is that "Identity services" never took off.
  3. OpenId is easy to integrate too... if you have a library for your language / framework of choice ( Rails, Django, Flask, Spring have it) 
  4. It is not as distributed as is meant to be: you still need mozilla for js ( why is explained in the video) for the "proxy thing" (mozilla) for email providers that do not support persona. I didn't get how signed credential renewal works ( since it is said that there is an expiration) but with only one persona per site ( different personas are different accounts right?) who does it mitigate third party services outrages ( or shutdowns :-)  )
  5. It is actually a lock in: with your email provider and... mozilla in a way.
  6. No email provider will ever support it: Google, Microsoft, Facebook ( yes now Facebook is  also an email provider) are active in the Identity management business and will not probably favor an initiative from a competitor in the browser market.
  7. [Almost]No browser (except Firefox) will ever support it: see point n.6
The main fact here is that Persona do not solve any of the OpenId problem except better UX ( well... it wasn't a big deal) but still I think my Mom, my average Gym friend etc.. wouldn't understand what Persona is, how it works. They know Facebook and Twitter.. that's the internet for them ( yeah sad thing indeed) and I would not trade this better UX with the actual OpenId  ecosystem. Up to now it is just another sign in button among the others. Anyway good luck Persona!