The Mozilla Foundation has shipped a second public beta of its Persona web-login technology featuring a new capability called Identity Bridging, which makes it easier for users to access sites using only their email addresses and no additional passwords. "The goal of Persona is simple: we want to eliminate passwords on the Web …
First time reading/hearing about this.
Is this another single sign on attempt? Like MS Passport? Which no one wanted or trusted.
I still don't get why ease of use is better than having a decentralised point of failure. If that database (as far as I understand you still sign into Persona and it uses wizardry to sign you in elsewhere) got compromised you'd still be up a creek without a paddle.
You mean "Up IT creek without a paddle" eh?
Persona is actually completely decentralized -- there is no single point of failure in the underlying protocol. There *is* a temporary, centralized fallback so that Persona can Just Work for everyone right now, but that centralization automatically disappears bit by bit as domains turn on native support for Persona. Check it out: http://identity.mozilla.com/post/46374271364/persona-is-distributed-today
It works by initially authenticating you using your e-mail provider, getting a certificate in return, and storing the certificate on the browser. Later on the browser uses that certificate to talk directly to the site. It's arguably orders of magnitude more secure than that Passport string-and-paperclip thing held together by cookies.
The wizardry is only necessary if the browser doesn't natively support Persona. If it gets ratified as a standard then they will all eventually support it, if not then there'll probably be an add-ons available until it finally does pick up momentum.
So now with this "amazing new feature" I will need to create an corporate IT-grade user security policy for my family computers? Right now, family members can share a common user session on the living room PC and not have to worry about other people casually snooping their email, etc. They just logout/close the relevant browser window and walk away... because the login passwords are secret and not saved. Browser-level passwordless, persistent SSO breaks this.
What's that you say? "Don't use Persona then"? No argument from me—I just hope it can be disabled by policy. Anything to mitigate the opportunity of strife at home...
Convenient indeed for criminals
Wise people will not put many eggs in a basket.
One identity is one identity too many.
Another data gathering exercise ?
I already get invitations from my e-mail provider to give them my mobile phone number in case I lose my password -- or so they can sell on my number to marketing pests.
Here the risk presumably is that more sites get to know your email address, so they could sell it on.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market