But then never implemented it in Firefox, even as a default-off optional feature.
It looked very half-hearted, and that was a really bad signal to the world.
And you're right, it appears to send the message that Mozilla did not see enough importance in federated, user-controlled identity on the web to make sure it landed in the desktop browser. But Mozilla, like all organizations, has to balance its priorities. There's a lot going on, and the decision was made that other projects would take priority. I hope the decision is revised in the future.
If it looked half-hearted, I can assure you it was not from lack of effort or dedication from the team. We believe in Persona and poured our hearts into it.
tldr; we couldn't get it to work.
Let's get something straight first. I'm not a fan of excuses. Persona failed to achieve its goals, and I'd rather we own up to what it was good at, and what it failed at, learn from it, and keep fighting for better authentication on the internet because that's what matters. We play to win at Mozilla based on the principle that to have influence in a market, you need adoption. We're willing to play the long game when we have some line-of-sight to success, in other words, but it was clear that even if we had a team of 100 on Persona we were not going to see adoption.
Persona was never close to being shippable on desktop. It's true that we spent effort trying to make Persona work for Firefox OS, and that effort did not result in a fantastic on-device experience. Sign-in to web? Yes. Sign-in to device? Not so much. Federated login is really hard, unsurprisingly, for UX reasons as much or more than raw technology reasons. This is difficult stuff, and changing user expectations about how an "account" works is very, very difficult.
As the AAR linked to in this post iterates, there were a lot of factors involved in why Persona never took off, but most important was the 3-way cold-start due to needing large numbers of users, supporting IdPs (email providers), and many RPs (websites) before the system as a whole could get to critical mass. There was simply no evidence at all that adding a native implementation would have pushed any of the large IdPs (i.e. email providers) to support the system. In fact, the opposite is true; when we decided to start offering more Firefox services ourselves we effectively had the kinds of authentication/authorization challenges any large IdP would have and we found Persona unfit for our needs. (entropy generation as one example, covered in the FAQ)
We could have kept adding complexity to Persona to support Firefox/Mozilla specific use cases, but I believe we made the right call and let Persona focus on its core value prop - sign-in to the web with a verified email. We spent time and money to stabilize and fix inconsistencies in the API, and signed up to continue running the core secondary service for the Internet. We've invested heavily, and continue to invest in pushing identity on the web forward.
One last comment: It's important to note here that we did choose the underlying BrowserID protocol for use with Firefox accounts, incurring significant engineering cost (supporting your own authentication stack is not free), so that if we're successful in becoming a large IdP, we get a chance to fight this federation fight again without being in an adoption stalemate next time. Will that future system be exactly Persona? Almost certainly not -- we have to be willing to iterate the design and protocols until we've got something that works -- but we do believe that BrowserID/VEP is the right technology to be building from, and that we should let Persona continue to fulfill its current sweet spot for sign-in to the web for sites that love the way Persona works.
The services that they're switching their focus to are also crucial for the open web. Firefox needs them to be competitive, and the open web needs a competitive Firefox. But it feels like putting Persona on the backburner—especially when it comes to UI integration in the browser—is letting a pivotal moment pass us by, and I don't think identity on the open web will recover.
If you held a donation drive for Persona browser integration, the donations from Hacker News alone would fund it.
However other organizations can and do work towards the same goals. I'm one of the creators of Tent[1] which shares a lot in common with Persona (including some community members) but is more ambitious in many ways.
In the Persona AAR Mozilla identified several reasons for Persona's failure to gain adoption[2] including that Persona " can't offer the same [as Facebook Connect] incentives (access to user data)". Tent's primary purpose is as a user data store and also supports features like address changes automatically (which Persona never did).
We were fans of and friendly with the Persona team, but I believe the best solutions to these problems will come from teams that aren't afraid to think bigger than Mozilla's strategy at the time allowed.
The work of federated identity solutions will continue on Tent and other projects, many of which are probably better suited for a wide variety of users and products than Persona would have been. Of course none of us have (or are likely to gain) the level of institutional (or financial) support that Persona had.
[1] https://tent.io
> Persona " can't offer the same [as Facebook Connect] incentives (access to user data)"
That sounds like a feature. Gathering ever-creepier amounts of personal information to serve marginally-more-effective ads is a losing game.
I think if there truly was a pressing need for Persona, we would have seen it get adopted rapidly and quickly. That's exactly what happened with Firefox. That's also what happened with Thunderbird, although to a lesser extent.
Openness is ideal, but it also requires some demand for that openness. Open systems that aren't adopted are really quite useless.
We can always take the wrong path, and find it hard or impossible to get back.
We may see an end to a single globally compatible internet in our working lives, we may see an end to strong encryption on devices not years old. Any legal action against these ends is surely something to celebrate?
(PS: Because it's email based, there's absolutely no lock in. Want to migrate away from Persona? Just add a password column to your database. But we hope it won't come to that.)
So XULRunner and Tamarin did not pan out. But we have lots of hits, some still ramping up: Firefox, Firefox OS, Gecko, Servo, Rust, Fennec, various SpiderMonkey iterations including OdinMonkey for Emscripten/asm.js, PDF.js, Shumway.
Negative results are important in science, as roc blogged once (he cited a "Journal of Negative Results", in one of the physical sciences I think). Let's learn from them and make better results, not deny that they happen or keep on banging heads against stout oak trees....
An SSO that provides no information other than a confirmed email would be ideal for user privacy, but app developers implementing SSO stand to benefit from the existing social network data of their users, and subsequently exclude Persona from their SSO options.
I hope the Google and Yahoo bridges are reconsidered. On paper they're a good idea but in a practice, they add further complication and confusion to a concept that's already alien to most users.
Persona is a great idea on paper, but my outsider's perspective is that it has been very very challenging to implement in practice. The BrowserID protocol works great. User experience and login state management has been a bumpy ride.
My site (letscodejavascript.com) relies solely on Persona, so I hope it thrives, but I can't help being worried at this announcement.
I've never used a more simple SSO system before.
Without Mozilla to really champion it, it's dead
edit: so, anyone have a near alternative, that is open source, to invest time into that either will get browser uptake, or won't need it?
We'd love help! There are some get involved links at the bottom of our MDN page: https://developer.mozilla.org/en-US/Persona
I for one can't wait to see what the open source and HN community does with Persona and also can't wait to see what comes out of the Identity team as a result of this transition of focus.
Show me how to integrate it with a simple code snippet on the front page (and if it's not simple.. it needs to be). Honestly my eyes glazed over a little bit looking at the implementation details. Clearly it's not that hard, but the second thing is motivation which leads to..
Show me a video on the front page of how simple it is for users to login, and how any server can act is the authentication provider. It's too hard to understand the need.
I guess these are just personal suggestions but I think UX is the only thing holding Persona back.
