back to article Mozilla links Gmail with Persona for email-based single sign-on

The Mozilla Foundation has unveiled a new Identity Bridge that links its Persona single sign-on technology with Gmail, allowing all Gmail users to log in to Persona-enabled sites without entering a username or password. Persona works by having users register their email addresses with a server called a Persona Identity …

COMMENTS

This topic is closed for new posts.
  1. Pen-y-gors Silver badge
    Thumb Down

    Single login?

    Am I the only one who thinks this whole 'single login' thing is a really, really bad idea? Hack once, rifle through many different accounts.

    I'll stick to different passwords for every site, and very different ones for anything financial.

    1. Martijn Otto

      Re: Single login?

      I see both up- and downsides to this. The downside is as you already described, the single point of failure. The upside is that if somebody figures out your password, it is easily changed at a single place. Many people use a single password for everything and do not even remember all the sites they have an account at, leaving them vulnerable to attack.

    2. roomey
      Black Helicopters

      Re: Single login?

      A possible issue with the idea of using a different password for each website is, that if your email gets broken into, most websites will allow a password reset, so the baddies will get access to all of them anyway. In effect you have the same single point of failure as you do with persona.

      Unless of course you have a different email account for each website....

      But what happens if you reset them email account passwords.... ahhhh pop.

      Non-password authentication will always win security wise for a number of reasons, so now I just have to wait for el reg to get sorted with it :)

      1. Intractable Potsherd Silver badge

        Re: Single login? @roomey

        "Unless of course you have a different email account for each website.... But what happens if you reset them email account passwords"

        I'm not sure if you are asking what I think you are asking, but I have specific e-mail addresses for certain accounts, all of which forward to another account that I monitor regularly. All password request changes go to that account too. I know about any changes without actually ever visiting the accounts ...

    3. Anonymous Coward
      Thumb Up

      @Pen-y-gors - Re: Single login?

      You're not the only one. SSO without some form of additional token/biometric check just seems like asking for trouble.

      1. Dan 55 Silver badge
        Stop

        Re: @Pen-y-gors - Single login?

        Er, Persona uses certificates. You can only sign on from the browsers which have your certificates installed.

        1. Anonymous Coward
          Anonymous Coward

          @Dan 55 - Certificates

          Good point - it isn't as weak a solution as I implied. I have a general aversion to the concept, though, but maybe I'll warm to it over time.

    4. Mage Silver badge
      Devil

      Re: Single login?

      Indeed this is one of the aspects I hate about Google. What has Google Code to do with YouTube?

  2. Justicesays
    Big Brother

    Sounds like a great facilitator ...

    For the NSA etc.

    Rather than having to ... demand information (I was going to say issue a warrent or subpoena but...) from multiple sites, they can just demand your authentication from the persona service.

    Presumably the system relies on the persona service validating the certificate , so if they say "yes, this NSA certificate is valid for this user" then the trusting websites will let them in to any-ones accounts?

  3. cotsweb

    Better for most people

    In my experience most people use just one or two passwords for everything and just one or two email addresses too. We all know that this is a bad thing but I can't even persuade my wife (who is quite tech savvy) to change her ways; what chance with the rest of the world?

    Persona isn't perfect but it is a lot better version of the single password everywhere option. Who knows we might even be able to persuade people to change their passwords occasionally if they only have to change it in one place.

  4. egeria
    FAIL

    improper usage of API

    Error

    Please close this window and try again.

    Action: error in https://webmaker.org

    Now: Fri, 09 Aug 2013 16:11:00 GMT

    improper usage of API: Error: Could not get IdP Verification Info

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019