I'd rather they made OpenID less scarry (to average Joe) instead.
When you use a computer that's not your own, Persona keeps the session time very small. Of course, when you're done using that computer, you should ideally clear cookies, just like you would if you used OpenID or Facebook on a shared computer.
This is safe on a public computer or shared device, if you logout.
Persona also has some UI around public versus personal devices.
If we're going to have browser support anyway, I'd rather just use standard two-way SSL and put the work into developing better UI and private key distribution systems for it. It's even more secure and has a great user experience once you've set up the key in the browser and authorized it to the site.
BrowserID (Persona) took me minutes to implement. On a non-trivial project, it may take a couple hours. The beauty of this is the fact that it still works without built-in browser support. It's designed to be a forwards-compatible API that only becomes more usable with time.
Additionally, email is an excellent way to establish a user's identity, and the fact that it's designed around email makes it easy for a regular person to understand its authentication flow.
The problem with SSL is that it is an all-or-nothing technology. There's a chicken and egg problem: people won't make good UI for it until it's widely used, but people won't use it until it has a good UI. Persona provides an implementation of BrowserID that has a decent UI, and the user experience will only get better with time as more people use it. The chicken/egg problem is solved there, but two-way SSL right now is practically unusable for anyone who isn't very familiar with it (most people). Using an email address is very familiar, though.
I couldn't be happier with a signin solution. It even complements my legacy solution very well, you can see a demo at http://www.yourpane.com (click "Persona", never mind the email field.)
How will my mom log in to an SSL-certificate-requesting site from another computer?
Has there been any writeup that explains the potential impact of Persona on privacy? Not just the impact when used as intended, but also any unintended effects?
https://www.youtube.com/watch?v=QDSh3osE4GQ
Also, see this blog post:
http://identity.mozilla.com/post/7899984443/privacy-and-brow...
(Maybe I'm not looking deep enough? Anyway, thanks in advance.)
More importantly, I really dislike the answer to second question from the audience. Even when the system is fully supported without fallbacks, hacking person's email account will grant the attacker ability to log into all websites as the victim?
I already am quite concerned with how much control over everyone's identities services like Gmail have. If I understand it correctly, Persona will give them more direct control over user's identities. It's only decentralized in a sense that different email providers will be able to implement it separately, and verify identities of their users.
I hope I'm missing something from the big picture here.
I suppose mobile apps would ideally use some sort of Persona login service provided by the underlying OS, and until such a thing exists I guess an app could reimplement all the user-agent logic and load the user's login page in a webview. But I have no idea how at all I would go about designing an API for a website which uses Persona for logins.
The bug to watch is this one: https://github.com/mozilla/browserid/issues/2034 supporting environments without popups will clear the way for good native SDKs.
OpenID usually doesn't reveal your email address.
For example, when logging in to Google via OpenID, google will only send back a unique identifier that means 'yes, the user has a google account' but no other personal information. Yahoo does the same.
(of course, it's possible to use OpenID extensions to get a user's email at their discretion)
Does persona work in the same way?
1. It prevents lock-in to Persona. (If you want to migrate away from Persona, you can just send the users an email and introduce the new authentication mechanism.)
2. Most websites will need some way to contact the user, and will ask for their email address any way.
3. Users understand the concept of email addresses as identifiers.
If you care about keeping your email address private, you can always use the features your email provider offers such as forwarding email addresses.
