By chance I'm working on authentication stuff these days. A SCrypt Hasher for django and some Spring Security SSO integrations.
I'm also watching pycon videos and I came across "Beyond Passwords: Secure Authentication with Mozilla Persona" by Dan Callahan.
The presentation is actually very good but to me, an SSO and OpenId enthusiast, clearly reflects missing points of the Persona initiative.
- Persona has better UX than OpenId (process is simpler and clearer )
- Easy to implement
- Using email as credential is a BAD BAD idea: What if I subscribe a service ( let's say "Mozilla developer center" ) with my professional email and I got suddenly fired by my employer upon unfair conversation at PyCon. I lost control on my profile on that site. OpenId has an elegant solution for that. The meta-tags.
- It still lacks of personal data exchange: Dan Callahan says that they are working on that, waiting for developer feedback... and shows how, upon first time usage on a site you have "just to fill your name, surname , gender... super boring. This is why the whole "social signin" came out. The problem here is that "Identity services" never took off.
- OpenId is easy to integrate too... if you have a library for your language / framework of choice ( Rails, Django, Flask, Spring have it)
- It is not as distributed as is meant to be: you still need mozilla for js ( why is explained in the video) for the "proxy thing" (mozilla) for email providers that do not support persona. I didn't get how signed credential renewal works ( since it is said that there is an expiration) but with only one persona per site ( different personas are different accounts right?) who does it mitigate third party services outrages ( or shutdowns :-) )
- It is actually a lock in: with your email provider and... mozilla in a way.
- No email provider will ever support it: Google, Microsoft, Facebook ( yes now Facebook is also an email provider) are active in the Identity management business and will not probably favor an initiative from a competitor in the browser market.
- [Almost]No browser (except Firefox) will ever support it: see point n.6
The main fact here is that Persona do not solve any of the OpenId problem except better UX ( well... it wasn't a big deal) but still I think my Mom, my average Gym friend etc.. wouldn't understand what Persona is, how it works. They know Facebook and Twitter.. that's the internet for them ( yeah sad thing indeed) and I would not trade this better UX with the actual OpenId ecosystem. Up to now it is just another sign in button among the others. Anyway good luck Persona!