Mozilla brands Persona as password killer
An update to Mozilla's beta log-in system lays the groundwork for using preferred Web mail username and password to sign in on multiple sites.
Mozilla's Web site log-in alternative known as Persona unveiled a Beta 2 version today. Now you can sign in to any Web site supporting Persona using a Yahoo Mail account.
Persona, which is still in development, is an open authentication system that works on desktops and mobile devices. In addition to being able to log in using either your Persona ID or your Yahoo credentials, today's release introduces support for Firefox OS, which means you can expect to use Persona to log in to any Firefox OS devices that launch later this year. It also includes back-end changes that make the log-in system work twice as fast as before, Mozilla says. The company boldly claims that Persona will also be a "password killer."
"Facebook and Twitter sign-in conflate the act of signing into a Web site with sharing access to your social network, and often granting the site permission to publish on your behalf. Sometimes this is what a user wants, but far too often it's absolutely not," said Lloyd Hilaiel, the technical lead for the project, in a post explaining Persona Beta 2.
It's a bit hard to verify from the Persona promotional video, embedded above, how it will antiquate the need for passwords, but the utility of not having to remember multiple usernames and passwords can't be understated -- as long as your password isn't abc123 or worse, password. "Persona implements the proposed BrowserID standard proposed by Mozilla for verifying user identity via browsers using existing e-mail addresses. With Persona, verified email addresses and encrypted passwords are saved on the Mozilla server. It uses a client-side cryptographic certificate (that is, it stores tamper-resistant proof in your browser) to prove to the site that the current user owns an particular email address. The site that you're logging in to never actually sees your password," said Ben Adida, Director of Identity for Mozilla and a technical adviser to Creative Commons, in an e-mail to CNET.
Persona is different from most log-in systems, such as the ones for Google or Facebook. Those systems require users to create log-ins specifically for their sites, while the new Persona Beta 2 recognizes Yahoo accounts; Mozilla says it plans to add other accounts later this year.
Mozilla Persona uses a technology called Identity Bridge to allow people to use their Web mail with the authentication system. Hilaliel and Mozilla Technical Evangelist Robert Nyman said that Identity Bridge does just that. "So we built a bridge - a server that speaks the Persona IdP protocol on one side and OpenID or OAuth on the other - to use these existing services," they wrote on the Mozilla Hacks blog.
"It is designed from the ground up to be federated and distributed," said Hilaiel. It also differs from other federated ID protocols in one important manner, said Adida.
"When a user logs in to a Web site using a Facebook, Google, Yahoo, Twitter or any OpenID account, their identity provider is inextricably involved in the transaction," Adida said. "With Persona, the identity provider is on a need-to-know basis: the login process between user and Web site will use a digital certificate provided by the identity provider, which means the identity provider will be represented by proxy, but never directly involved in the login flow," he wrote.
For Persona to succeed, Mozilla needs to get buy-in from both Web mail providers and Web site owners. If successful, Hilaiel expects Mozilla to be "almost completely out of the sign-in transaction."
In response to questions about how Persona protects user log-in information, Adida noted two security features that Persona implements. One is what he described as a "powerful session lockout mechanism" designed for when your device has been stolen, that automatically logs you out of Persona when you change your Web mail password from another device. Another time limits log-in sessions from devices that you haven't verified, such as public computers, to five minutes. "Extending it requires typing in the password again, at which point we prompt the user to tell us whether this computer is theirs or is public. In other words, we've implemented strong protection on public computers with a novel user interface that removes the annoying and confusing 'remember me' option," he said.
According to some studies, only three Web mail providers account for most Web mail use. Although Mozilla has not tipped its hand toward other companies it might be talking with, it's a safe bet that it's working on getting Google and Facebook to support Persona. Google often has interacted well with Mozilla's initiatives and is a financial backer of the company, and Facebook most recently collaborated with Mozilla on the Social API now in Firefox.
The news follows from last September's first Persona beta. Mozilla explained then that its desire in creating Persona was to help people keep their Web-browsing history private.
When the first beta was released, it was easy to be skeptical about it. Certainly privacy experts and Mozilla fanatics would favor it, but who else would move to it, especially in the face of years of login development by Google, Yahoo, Facebook, and Twitter?
Persona seemed like an even harder sell than Mozilla's Firefox OS or Web app store Mozilla Marketplace, because it flips the login paradigm to favor the user -- and that's just not something that many have protected of late.
Persona's multiaccount login provides an incentive to site owners who want to offer certain content only to those who are logged in: The site owner no longer has to worry about maintaining a database of passwords.
If Persona can successfully kill off the password, it may have created a longer-lasting legacy than any other tech innovation of the past decade. But that's a mighty big if, not to mention what happens if your one Persona login gets compromised.
Updated at 4:57 p.m. PT with more details on how Persona protects user passwords.
Updated at 2:55 p.m. PT with more details on how Persona works with OpenID and OAuth.
Updated at 8:30 a.m. PT with more details from Mozilla.