In the summer of 2012, Mozilla unveiled a new single sign-on (SSO) solution called Mozilla Persona to the online world. At the time, their branding was actually BrowserID, but since then, they rebranded everything around the Persona name. In September of last year, their first developer beta was released, and earlier this month they introduced their first public release, beta 2. The way their web site describes it, Persona is an identity system for the web. But is it really all that it is cracked up to be? There are many SSO solutions out there, from Facebook Connect to Twitter, Google and more. Then there are the completely open source and decentralized solutions like OpenID, which have existed for a long time and never really got much traction. So will Persona fare any better?

First, let’s see what is different between this new system versus the existing ones. The first point that Mozilla hammers home is privacy. One big problem that organizations, as well as many other parties, have with something like Facebook Connect is that in this case, identity and data sharing are mixed into one package. By signing up to a web site using your Facebook account, you are not only authenticating, but also sharing a vast amount of information —giving the web site access to your profile so they can see your friends, post to them, and so on, based on the permissions that the site asks for. The second advantage for Persona is that users control their data. The sign-on process is based on a simple email address, something that every user of the web would likely have. You do not need a Facebook, Twitter, Google or even a Mozilla account to use Persona. Finally, the devs say that eventually, the goal would be for Persona to be integrated in the browser. This is very likely to happen in Firefox, since that is their browser, but I would not hold my breath to see Persona inside of IE, although plugins are always possible.

The Mozilla devs have been in the news lately clamoring about Persona’s benefits, especially when compared with Facebook. In a recent interview, they championed the security advantages in particular, where individual web sites do not have to create or maintain authentication codes themselves, so there is a lower risk for users if their servers are compromised. Certainly, the advantages there are undeniable, and for anyone who wants a single sign-on that is not tied to their entire digital life, like their Twitter or Facebook account might be, then this may prove to be a solution. But OpenID already exists for that, so why did that not become hugely successful? The problem with a service like this, is that for it to be useful, you need a critical mass. You need many web sites to implement it, and many users to know about it.

Facebook Connect has become the most popular SSO solution because so many people already use Facebook, and many sites already implement their social plugins. The company very wisely used its reach to promote new services, even though many developers who used the Facebook API in the past will tell you that it’s far from the best solution out there. Plus, if you try to log into a web site and see a Facebook window pop up, then you know what that is. If the window instead speaks about Persona and Mozilla, most users would have no idea what those are. So for now, this new system suffers from a branding issue.

There are also some developers who tried the Persona API and reported issues. For example, the system is still in beta, and is likely to change in the future. While users are logged in, sometimes the session may be terminated for unknown reasons, randomly logging users out. Finally, the interface on some mobile platforms still is not optimal. Of course, Persona is still new, and as such, it will improve. The mobile version of Facebook Connect used to be awful for a long time, before it became usable. But most importantly, if you have a web site, none of these issues should prevent you from learning about Persona, and thinking about implementing it on your site. Why? For a simple reason: Choice. The goal of the web is to offer users choice. It has been proven many times that having a single company control gateways or portals is a bad idea, whether that was AOL back in the early 1990s, or Microsoft thanks to Internet Explorer.

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Persona is easy to implement, and requires only a simple walkthrough to do so. You can add it to your site, web app or mobile app in just a matter of hours. Here is what you should know in order to add it for your own users. Right now, the way to do this is through JavaScript, although in the future they hope to add native support as well. In order to access the Persona functions, include the file https://login.persona.org/include.js to your page. Mozilla also recommends disabling IE compatibility mode with the header X-UA-Compatible: IE=Edge. This is because the Persona pop-up breaks with compatibility mode. The next step is to add the login and logout buttons using the navigator.id.request() and navigator.id.logout() functions. After that you can watch the user calls for logging in and out with the navigator.id.watch() function, and finally verifying user credentials at the https://verifier.login.persona.org/verify address.

You can download code samples and access all of the API functions on the dev site, but as you can see in four simple steps, you can get started using Persona. As you may have noticed if you have worked with Facebook or Twitter APIs in the past, the Persona API differs significantly. Typically, most APIs out there use OAuth, which involves requesting a user token, and then sending that token back to authenticate a user. What actually happens here is that when a user tries to log in using Persona, the JavaScript code creates an assertion, which is a cryptographically signed email address. There is no token being passed at this stage. Then, you need to verify that assertion either on your own site or at another Persona web site, such as the one Mozilla offers at https://verifier.login.persona.org/verify. This should obviously be done in the backend, not in JavaScript, since that would be easy for an attacker to fake. It also provides the great benefit that any web site can implement such a system, and with beta 2, Mozilla announced that all Yahoo email addresses can be used to login with Persona.

So is Persona the future of the web? Maybe. From a security standpoint, it seems very well designed. It allows users to login on new sites without having to create new usernames or passwords. Because it’s open, you never even need to keep Mozilla in the loop, and can implement the whole process yourself. It has the potential of making the process easier as well, both for users and developers. Right now, however, it suffers from a branding problem, where very few web sites use this system, and almost no user knows about it. But as it becomes more popular, it does have a chance to make a dent on the social sign-on front.