It was on the news this mroing, Mozilla will stop developing FirefoxOS phones, and the top Hacker News comment really resonated with me. Sure, IoT is the future, and it would be great if we had more nifty stuff there (shameless IoT privacy plug), but these headlines make the bad taste that I’ve had in my mouth ever since Mozilla shuttered Persona stronger, and I can’t stay silent any more.
What Persona was
For those of you who don’t know, Persona was a private, decentralized authentication protocol that Mozilla developed. It’s pretty much those “Log in with Facebook” buttons that you see on some sites, except that, instead of Facebook, you just log in with your email provider. So, if you enter a Gmail address, you’ll be redirected to Gmail and be asked to allow the site to see your address, and you’ll be logged in, without Gmail ever knowing which sites you are logging in to.
This means that you’ll ever only have one password for all websites and applications. Many people point to this as a flaw, as someone with access to your email account can log in to any site you have an account on, but they miss the fact that that’s the case today. Anyone with access to your email account can simply reset any password on any site. The right solution is to make your email account very, very secure. As security people like to say, “put all your eggs in one basket and stick the basket in Fort Knox”.
Persona was (and still is) a great idea all around, and I would like to officially (that’s right, it’s official) urge Mozilla to reconsider its stance on shuttering Persona, because reasons. Reasons will be explained after a brief retrospective:
Why Persona was shuttered
Persona was shuttered, in Dan Callahan’s words, because they couldn’t demonstrate traction:
The bulk of the team came together around March 2012. Most of us were moved off the project in around November 2013, so we had closer to two years as an official project.
We thought we had more time to experiment with the core protocol and product design, but with Mozilla Labs’ somewhat sudden dissolution, we were unexpectedly asked to demonstrate traction and commercial adoption that simply wasn’t there.
So, the Persona team was given “closer to two years” to revolutionize authentication across the entire web, and was shuttered when they couldn’t. That sounds reasonable, except for one detail: It’s completely unreasonable.
No one can be expected to revolutionize authentication in two years! What one can do in two years is try to discover whether it’s possible to create fully private, decentralized authentication. Not only did the Persona team demonstrate that such a thing is possible, they brought a mature product implementing the protocol to market! I doubt Google would have done any better.
Neither do I buy the notion that there was no traction. Maybe website adoption wasn’t going great, but Persona had loads of developer goodwill and mindshare. People who decided against implementing it pointed to usability issues and how Persona was too different from traditional authentication for users to understand it. That’s entirely a property of something called the “bridge”, an interstitial website that Mozilla used until email providers added native support for Persona, and is very fixable. In fact, it pretty much was fixed when Persona added support for Gmail. You’d enter your email address, be redirected to Gmail, asked to give permission to log in, and you were in.
Why Persona should be resurrected
After all that introduction, here’s why I believe it makes sense for Mozilla to resurrect Persona:
It makes sense for users
Persona is a fantastic protocol for the end user. The ideal flow looks something like:
- Visit a site, click the “log in with your email address” button.
- Enter your email address, be redirected to your email provider.
- Tell the email provider you want to give a site permission to know your email address, without telling the provider which site it is.
- You’re logged in.
This is very similar to Facebook/Google/Twitter logins, except Facebook doesn’t get to know all the sites you want to log in to. The wins for security are immense for the end user:
- It’s easier to remember and keep a single password secure.
- It’s easier to add more authentication factors like single-use codes, hardware tokens, etc to one site than to every site.
- It completely removes the possibility that someone compromises a random site you only used once and learning your password that way. This is a massive advantage. Even if your email provider does end up getting breached, you only need to change one password to be perfectly secure everywhere again.
- You don’t have to go through the hassle of making up a username, a password and confirming your email address. You can sign up on any website in one click, if you choose to.
It makes sense for websites
Not only is Persona for users, it’s great for websites as well:
- The complexity of the user authentication system is greatly simplified. You no longer have to store and secure sensitive passwords, you don’t have to create and maintain pages for creating/changing/retrieving passwords, and you don’t have to worry about breaches exposing user accounts on other services.
- You can be certain that a user owns the address they’re signing up with. You don’t need to validate the email address you get and deal with deliverability issues, it’s already pre-validated.
- Fewer steps to signup will lead to less friction while signing up, and hence to more users signing up. I’m not certain on this point, as I haven’t seen any definitive data yet, but it makes enough intuitive sense that I consider it an advantage.
It’s what Mozilla should be doing
Dan Callahan said in the above chain that it looked like Facebook/Google auth would eat the web and be another major erosion of privacy on the web, but that turned out not to happen, so the need for Persona was lessened. I, however, disagree. Authentication right now is the biggest common pain point in the web, and the hardest thing for anyone to get right. It’s bad from a usability standpoint, where there exist whole industries trying to alleviate the password management burden, it’s bad from a security standpoint, with even huge multinationals getting hacked, and it’s bad from a privacy standpoint, with your email provider receiving all the signup emails and knowing exactly which sites you signed up to.
Mozilla should be focusing on improving security and privacy on the web, which is what we sorely need today. Not only do they have 95% of the technical details solved already, but there’s pretty much nobody else working on this, whereas I can think of one or two competitors in the smartphone space. We need this, and all it’ll take is some marketing and love, which Mozilla excels at. It’s not even that big an effort, all the pieces are already there!
I sometimes see a few counterarguments to reviving Persona, and I would like to address those here as well.
One argument is that users are unfamiliar with Persona and that they can’t figure out how to log in with it. However, this is merely a UX problem, and not a problem with the protocol itself. It can be solved in various ways, such as asking the browser to provide the user’s email provider so the user can be redirected there for login. In such a scenario, what the user would see is “click here to log in with your email”, they would be taken to their provider and asked to grant permission, and then back to the site, where they would then be logged in.
Another argument is less about Persona itself and more about who will do the work. It goes “Persona is open source, so why don’t you work on it?”. The problem here is that there’s a difference between the branding of “Mozilla Persona” and “Some Random Guy Persona”. Only one of those will convince people to use it, and it’s not the one with the word “Random” in it.
Money and mouth
I’m not one to tell people what they should work on and then sit around to watch them do it. I’m willing to help Mozilla with Persona however I can. A few years ago I even wrote an alternative identity provider that supports more features than the stock bridge.
I don’t know if something like a Kickstarter campaign to raise some money to pay for engineer time would help sway Mozilla at all, but I’m perfectly happy pledging a few hundred dollars and running the campaign, if necessary. I just really want to see Persona succeed.
For any feedback/comments/flames, tweet to me or leave a comment below.