undefined | Better HN

0 pointsmmayo12y ago0 comments

Disclosure: the Identity team at Mozilla work for me.

tldr; we couldn't get it to work.

Let's get something straight first. I'm not a fan of excuses. Persona failed to achieve its goals, and I'd rather we own up to what it was good at, and what it failed at, learn from it, and keep fighting for better authentication on the internet because that's what matters. We play to win at Mozilla based on the principle that to have influence in a market, you need adoption. We're willing to play the long game when we have some line-of-sight to success, in other words, but it was clear that even if we had a team of 100 on Persona we were not going to see adoption.

Persona was never close to being shippable on desktop. It's true that we spent effort trying to make Persona work for Firefox OS, and that effort did not result in a fantastic on-device experience. Sign-in to web? Yes. Sign-in to device? Not so much. Federated login is really hard, unsurprisingly, for UX reasons as much or more than raw technology reasons. This is difficult stuff, and changing user expectations about how an "account" works is very, very difficult.

As the AAR linked to in this post iterates, there were a lot of factors involved in why Persona never took off, but most important was the 3-way cold-start due to needing large numbers of users, supporting IdPs (email providers), and many RPs (websites) before the system as a whole could get to critical mass. There was simply no evidence at all that adding a native implementation would have pushed any of the large IdPs (i.e. email providers) to support the system. In fact, the opposite is true; when we decided to start offering more Firefox services ourselves we effectively had the kinds of authentication/authorization challenges any large IdP would have and we found Persona unfit for our needs. (entropy generation as one example, covered in the FAQ)

We could have kept adding complexity to Persona to support Firefox/Mozilla specific use cases, but I believe we made the right call and let Persona focus on its core value prop - sign-in to the web with a verified email. We spent time and money to stabilize and fix inconsistencies in the API, and signed up to continue running the core secondary service for the Internet. We've invested heavily, and continue to invest in pushing identity on the web forward.

One last comment: It's important to note here that we did choose the underlying BrowserID protocol for use with Firefox accounts, incurring significant engineering cost (supporting your own authentication stack is not free), so that if we're successful in becoming a large IdP, we get a chance to fight this federation fight again without being in an adoption stalemate next time. Will that future system be exactly Persona? Almost certainly not -- we have to be willing to iterate the design and protocols until we've got something that works -- but we do believe that BrowserID/VEP is the right technology to be building from, and that we should let Persona continue to fulfill its current sweet spot for sign-in to the web for sites that love the way Persona works.

0 comments

2 comments · 2 top-level

robn_fastmail12y ago

> "needing ... supporting IdPs (email providers)"

Over at FastMail we seriously looked into implementing Persona across the board. We're one of the bigger "small" email providers and we figured that it would be a good thing to get in on the ground floor if it succeeded, and have a(nother) feature to differentiate us from our competition, and to be able to give feedback on the system from the iDp perspective.

The hard requirement for HTTPS or DNSSEC is what raised the bar too high for us in the end (see https://github.com/mozilla/persona/issues/1523 for more info). Basically, the domain owner needs to securely delegate to the identity provider. Since we provide DNS and basic web hosting for most user domains, that means we have to provide HTTPS certificates for every domain we manage (and at least one IP per domain) or be able to serve proper DNSSEC records for every domain we manage (difficult when many registries we use still don't support it).

DNSSEC is something we're working towards, and I'd really like to have full support available this year. HTTPS without needing one IP per domain and multiple certificates is still not yet feasible, though there are specs gradually coming down the pipeline for it (DANE, DNA, POSH, etc). Without all this tech in place, Persona seems to be a non-starter for a IdP that wants to manage lots of domains.

I don't blame the Persona guys for this. I know they tried and they got a lot of it right, and should be applauded for that. Maybe the next round of federated authentication will work. I have no idea, but I know we'd still like to be involved, and we'll be watching the space with interest.

davidgerard12y ago

The above text, as-is, REALLY needs to go into the linked FAQ. Thank you!

j / k navigate · click thread line to collapse