Mozilla Persona: What you should know and how to implement it
In the summer of 2012, Mozilla unveiled a new single sign-on (SSO) solution called Mozilla Persona to the online world. At the time, their branding was actually BrowserID, but since then, they rebranded everything around the Persona name. In September of last year, their first developer beta was released, and earlier this month they introduced their first public release, beta 2. The way their web site describes it, Persona is an identity system for the web. But is it really all that it is cracked up to be? There are many SSO solutions out there, from Facebook Connect to Twitter, Google and more. Then there are the completely open source and decentralized solutions like OpenID, which have existed for a long time and never really got much traction. So will Persona fare any better?
First, let’s see what is different between this new system versus the existing ones. The first point that Mozilla hammers home is privacy. One big problem that organizations, as well as many other parties, have with something like Facebook Connect is that in this case, identity and data sharing are mixed into one package. By signing up to a web site using your Facebook account, you are not only authenticating, but also sharing a vast amount of information —giving the web site access to your profile so they can see your friends, post to them, and so on, based on the permissions that the site asks for. The second advantage for Persona is that users control their data. The sign-on process is based on a simple email address, something that every user of the web would likely have. You do not need a Facebook, Twitter, Google or even a Mozilla account to use Persona. Finally, the devs say that eventually, the goal would be for Persona to be integrated in the browser. This is very likely to happen in Firefox, since that is their browser, but I would not hold my breath to see Persona inside of IE, although plugins are always possible.
The Mozilla devs have been in the news lately clamoring about Persona’s benefits, especially when compared with Facebook. In a recent interview, they championed the security advantages in particular, where individual web sites do not have to create or maintain authentication codes themselves, so there is a lower risk for users if their servers are compromised. Certainly, the advantages there are undeniable, and for anyone who wants a single sign-on that is not tied to their entire digital life, like their Twitter or Facebook account might be, then this may prove to be a solution. But OpenID already exists for that, so why did that not become hugely successful? The problem with a service like this, is that for it to be useful, you need a critical mass. You need many web sites to implement it, and many users to know about it.
Facebook Connect has become the most popular SSO solution because so many people already use Facebook, and many sites already implement their social plugins. The company very wisely used its reach to promote new services, even though many developers who used the Facebook API in the past will tell you that it’s far from the best solution out there. Plus, if you try to log into a web site and see a Facebook window pop up, then you know what that is. If the window instead speaks about Persona and Mozilla, most users would have no idea what those are. So for now, this new system suffers from a branding issue.
There are also some developers who tried the Persona API and reported issues. For example, the system is still in beta, and is likely to change in the future. While users are logged in, sometimes the session may be terminated for unknown reasons, randomly logging users out. Finally, the interface on some mobile platforms still is not optimal. Of course, Persona is still new, and as such, it will improve. The mobile version of Facebook Connect used to be awful for a long time, before it became usable. But most importantly, if you have a web site, none of these issues should prevent you from learning about Persona, and thinking about implementing it on your site. Why? For a simple reason: Choice. The goal of the web is to offer users choice. It has been proven many times that having a single company control gateways or portals is a bad idea, whether that was AOL back in the early 1990s, or Microsoft thanks to Internet Explorer.
So is Persona the future of the web? Maybe. From a security standpoint, it seems very well designed. It allows users to login on new sites without having to create new usernames or passwords. Because it’s open, you never even need to keep Mozilla in the loop, and can implement the whole process yourself. It has the potential of making the process easier as well, both for users and developers. Right now, however, it suffers from a branding problem, where very few web sites use this system, and almost no user knows about it. But as it becomes more popular, it does have a chance to make a dent on the social sign-on front.