e-Identity Blog


News Archive

more information

Mozilla Persona

October 16, 2012

Mozilla has just released the beta version of their authentication system Persona. It effectively allows internet users to log in into web sites with just one password.

The authentication system is based on BrowserID, and it involves three parties: the user (and his/her browser), the resource provider and the indentity provider. All three parties have to support and implement Persona. Before you say "this is never going to happen": the nice thing of the Persona today is, that it can be used right away if the the resource provider (the web site requiring a login) supports it, because Mozilla provides a fallback IdP as well as a javascript library to top up browsers.

The advantages for resource providers are:

  • they get an authenticated user and his/her email address.
  • it is easy to implement (much easier as OpenID/OAuth as Mozilla states).

The disadvantages for the resource providers:

  • currently, the only attribute they get is the email adress

From the perspective of the user the advantages are:

  • a good user experience. The underlying public key mechanics is completely transparent to the user. One never has to deal with lost certificates, renewals etc.
  • a good deal of privacy because the IdP can't keep track of the sites where the user is authenticating.
  • flexibility and anonymity because the user can change the identity by changing the email address.

And the disadvantages for the user, apart from the fact that there are only very few Persona-enabled resources:

  • the identity is bound to the email address. Persona can manage multiple email addresses for one user, but the user has to remember which email address was used to authenticate at a specific website.

Persona is an interesting concept, and I will try to use it as a user and as a resource provider in a small test site. Mozilla has found a way to use public key cryptography for user authentication without revealing it to the user. From the three prerequisites (browser, resource, identity provider) I guess the IdP is the most tricky part. First, the mail providers have to develop a business model and second, the quality of their service determines to a large extent the quality of the entire Persona authentication ecosystem. 

Rolf Brugger

Links: