Mozilla links Gmail with Persona for email-based single sign-on The Mozilla Foundation has unveiled a new Identity Bridge that links its Persona single sign-on technology with Gmail, allowing all Gmail users to log in to Persona-enabled sites without entering a username or password. Persona works by having users register their email addresses with a server called a Persona Identity …
I see both up- and downsides to this. The downside is as you already described, the single point of failure. The upside is that if somebody figures out your password, it is easily changed at a single place. Many people use a single password for everything and do not even remember all the sites they have an account at, leaving them vulnerable to attack.
A possible issue with the idea of using a different password for each website is, that if your email gets broken into, most websites will allow a password reset, so the baddies will get access to all of them anyway. In effect you have the same single point of failure as you do with persona.
Unless of course you have a different email account for each website....
But what happens if you reset them email account passwords.... ahhhh pop.
Non-password authentication will always win security wise for a number of reasons, so now I just have to wait for el reg to get sorted with it :)
"Unless of course you have a different email account for each website.... But what happens if you reset them email account passwords"
I'm not sure if you are asking what I think you are asking, but I have specific e-mail addresses for certain accounts, all of which forward to another account that I monitor regularly. All password request changes go to that account too. I know about any changes without actually ever visiting the accounts ...
For the NSA etc.
Rather than having to ... demand information (I was going to say issue a warrent or subpoena but...) from multiple sites, they can just demand your authentication from the persona service.
Presumably the system relies on the persona service validating the certificate , so if they say "yes, this NSA certificate is valid for this user" then the trusting websites will let them in to any-ones accounts?
In my experience most people use just one or two passwords for everything and just one or two email addresses too. We all know that this is a bad thing but I can't even persuade my wife (who is quite tech savvy) to change her ways; what chance with the rest of the world?
Persona isn't perfect but it is a lot better version of the single password everywhere option. Who knows we might even be able to persuade people to change their passwords occasionally if they only have to change it in one place.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
