We've been live for several months now in the Real World - our userbase (amateur athletes) is primarily nontechnical. About half of our users choose Persona/BrowserID and half choose Facebook. We were initially concerned about the BID login flow (in particular, the immediate email roundtrip) but it hasn't been a problem and the UX has been refined quite a lot over the last month or two.
For a mass-consumer audience, the combined FB/Persona solution is excellent:
* Facebook unquestionably has the slickest auth experience, even eliminating the followup name/sex/bday questions. However, a significant percentage of the world (possibly > 25%) either Hates Facebook or wants to keep their Facebook account isolated. This is unlikely to change in the near future and could even get worse depending on what sleeping dogs Zuckerberg decides to kick next week. We don't have the option of alienating the FB haters and we wouldn't want to anyways.
* The Persona UX is good and rapidly getting better. BigTent integration with gmail, yahoo, hotmail will bring one-click login to those users. A native experience is being built into browser chrome. All this is coming without me having to write code. It may not be as slick as Facebook, but I like where this train is headed.
* Integration is simple compared to writing a username/password system. The API is incredibly easy to work with. Dual-auth with Facebook is a little more complicated, but a complete Persona-based auth system is a question of hours, not days.
* The fact that identity is just an email address makes it easier to integrate with existing login systems. In our system, you can log into the same account with both Facebook and Persona as long as the emails match. No, email is not a perfect identifier, but even nontechnical users understand it immediately and really - what other option is there? "What email address did I use?" is a lot better than "What weird combination of letters and numbers did I use as a login name?"
* Support on the Mozilla dev-identity list has been fantastic.
We're pretty happy. Honestly, I don't ever see myself writing another username/password login system ever again. Persona is less work for a better UX.
OK so I tried to sign up to your site with BID and am pretty confused:
I'm using Chrome. Don't know if that affects things. Anyway.
Hit Browser ID, asks me for my email address. OK fine, add that in. It then says (quickly, and temporarily as it's an AJAX load), that it's looking up my email provider (Google Apps). It then asks me for my password.
So now I'm totally confused. I've not signed up with your site or BID before, so I dont know if it wants my GAPPS password or a new password. I don't feel like I want to put in my GApps password, as there is no Google branding anywhere and the URL is not Google.
So I try putting in my GAPPS password, because I use 2 factor, and it doesn't work. Most likely because I use 2 factor, and I can't authenticate with just my standard GAPPS password.
So it failed. I guess I'm an edge case as most people don't enable 2-factor on their Google account, but I was still really confused when it asked for my email password.
EDIT:
Same thing happened with Firefox version whatever the latest one is.
"Website operators still get a verified email address for their users, and users only have to remember a single password. BrowserID is also intuitive, since email addresses are commonly understood to be associated with identities."
Mozilla is really stressing the "email address/single password" concept. If they really mean "email address/separate dedicated Persona password" then they should make this clear.
The language around the number of passwords you need is really hard to get right. If you have suggestions, please let me know.
In a world where every email provider supports Persona natively, Persona truly is a "no new passwords" authentication system, since it delegates to your provider. If your email address isn't supported, Persona asks you to create a single new password at login.persona.org. You can then add many other unsupported addresses, without needing more passwords. So it's an "at most one new password" system.
Simply always refer to the Persona password as "Persona password".
> In a world where every email provider supports Persona natively, Persona truly is a "no new passwords" authentication system, since it delegates to your provider.
I don't know what this means. I won't give Persona my gmail/yahoo-mail email password.
Yeah, it's confusing. If your email provider is supported, your browser talks directly to your email provider, without Mozilla in the middle. We don't want your passwords, honest! :)
You can try out the supported email provider workflow by signing up for a dummy account at eyedee.me, and then using that account to sign in at, say, 123done.org.
Wait, if this system works with a dummy account, then a valid email address isn't necessary at all. Any domain can set up an identity provider to support user@domain. Why drag email providers into the discussion, then? It confuses everyone.
It confuses you because you are a technologist. For 99.99% of the world, user@domain == email address.
"Sign in with your email address" gets the point across. "Sign in with your user identity at a controlling DNS authority" may be more accurate, but will actually confuse everyone.
I got confused by this as well. What's happening is that the email address he used already has a Persona account.
If your email address isn't known to Persona it will ask you to create a password, which is cool. Otherwise, it will just bring up a password box with your email address just above it.
I must have used BrowserID once when it was launched, because what the OP got happened to me and I was just as confused. It might not be a problem in the future when it's more well known, but it would be nice for it to have an indication that they want your Persona password, and not your email password.
Coincidentally I've asked a question about login system just two days ago (http://news.ycombinator.com/item?id=4225270) where I mentioned BrowserID as one of the options. Apparently I hadn't properly checked out BrowserID/Persona because I thought of it as an OpenID replacement, not an email+password login replacement.
I'm positively surprised to see that you found a 50-50 balance between BrowserID and Facebook; I expected a lower pickup rate on BrowserID. So, I guess I've decided what login system to use for my project(s).
https://www.voo.st/
We've been live for several months now in the Real World - our userbase (amateur athletes) is primarily nontechnical. About half of our users choose Persona/BrowserID and half choose Facebook. We were initially concerned about the BID login flow (in particular, the immediate email roundtrip) but it hasn't been a problem and the UX has been refined quite a lot over the last month or two.
For a mass-consumer audience, the combined FB/Persona solution is excellent:
* Facebook unquestionably has the slickest auth experience, even eliminating the followup name/sex/bday questions. However, a significant percentage of the world (possibly > 25%) either Hates Facebook or wants to keep their Facebook account isolated. This is unlikely to change in the near future and could even get worse depending on what sleeping dogs Zuckerberg decides to kick next week. We don't have the option of alienating the FB haters and we wouldn't want to anyways.
* The Persona UX is good and rapidly getting better. BigTent integration with gmail, yahoo, hotmail will bring one-click login to those users. A native experience is being built into browser chrome. All this is coming without me having to write code. It may not be as slick as Facebook, but I like where this train is headed.
* Integration is simple compared to writing a username/password system. The API is incredibly easy to work with. Dual-auth with Facebook is a little more complicated, but a complete Persona-based auth system is a question of hours, not days.
* The fact that identity is just an email address makes it easier to integrate with existing login systems. In our system, you can log into the same account with both Facebook and Persona as long as the emails match. No, email is not a perfect identifier, but even nontechnical users understand it immediately and really - what other option is there? "What email address did I use?" is a lot better than "What weird combination of letters and numbers did I use as a login name?"
* Support on the Mozilla dev-identity list has been fantastic.
We're pretty happy. Honestly, I don't ever see myself writing another username/password login system ever again. Persona is less work for a better UX.