Authentication mechanisms and they way they are implemented can have bleedover into the ability of a user to maintain control of their anonymity and privacy.
Has there been any writeup that explains the potential impact of Persona on privacy? Not just the impact when used as intended, but also any unintended effects?
There's an hour long video discussing the measures taken to protect the user's privacy, given by Ben Adida, one of the developers. It's 12 months old, but I believe the protocol hasn't changed enough to make the information out of date.
I'm not aware of any standalone articles, but something of that nature would be really fantastic. Such an article would probably be best if written by someone outside of the Persona team.
I can't come up with any reason why this isn't going to be massive. The password problem is the single most frustrating and alienating issue I can think of for normal users.
Two big issues so far: it still uses email for password resets (without alternatives that I know of) and it doesn't work without JavaScript. I hope both of them get addressed.
The fallback identity provider (at login.persona.org) does use email for password resets, but other identity providers will likely use other mechanisms.
I hope so, but why not do the right thing in the default identity provider?
Lately, there have been tons of high-profile hacks that boiled down to taking control of victim's email and resetting passwords to other accounts. What's seems to be the best response possible from web developers? Is it:
a) Demand that all your users use Gmail with enabled two-factor authentication, then smugly blame them for all security issues if they don't.
b) Stop using emails for password resets, since you don't really know how trustworthy your users' email providers are.
One of the ways crackers gain access to a user's email is by guessing their password, a simple task when a huge number of users use the same password everywhere. With Persona, only your email provider (and the persona.org fallback) have your password (two passwords in the case of the fallback), hashed or not.
If you're already a password ninja and use a different and unpredictable password on every different site without forgetting them, Persona isn't an improvement in security. If you don't, as most users don't, Persona makes authentication more secure and more user-friendly at the same time.
With Persona, your weakest point would still be your email provider, which is why it would still be wise to recommend two-factor authentication for your email.
If you're already a password ninja and use a different and unpredictable password on every different site without forgetting them, AND you have enabled two-factor authentication with your email provider, Persona IS an improvement in security. This is because, with Persona, having two-factor authentication for your email would automatically mean two-factor authentication for all your websites as well.
I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. If you opt into 2FA, you will have to "Confirm your phone". You would receive a text message with a specific code to be entered into the system. If you don't want to do this every single time, you can designate your smartphone, PC, or tablet as a trusted device and they will allow you to telesign in without the text code. Should an attempt to login from an unrecognized device happen, it would not be allowed.
Your last point is not completely accurate; with Persona and 2-factor auth on your email account, you would then have verified ownership of your email account via 2-factor authentication. This doesn't mean that every assertion generated by your Persona account will have been generated with 2-factor auth.
Because it's not the "default" identity provider, it's the "fallback" identity provider.
They're trying to define a open standard which would end up with any number of identity providers. The goal is something that can bootstrap the system into usage.
As far as what to do about users? You can't fix the problem. Nothing is going to be 100% secure, and the flesh is always going to be the biggest weakness if the machine has been well designed.
If you really want conjecture on it, though, I would suggest you first ask "Is this something tied to a citizen's identity, or a online identity?", because most things that process fiat currency in any capacity will fall into the former, and should probably merit a recovery system outside of email.
I would argue, however, that anything falling into the latter and should be handled with email.
Public key crypto has many usability problems, but it solves a lot of other problems. I wish some of the big mail providers like Google would throw some money and people at it.
That depends on the kind of services they provide. Simplest options that come to mind are nothing (like this wesbsite) or a printed reset code with owner notification on use and 1-day wait period. At the very least they can allow power users to disable password resets when they want.
Nothing is extremely painful for a federated identity protocol (although I think it should be a clear option for those of us who take these things seriously!). Printed reset codes are part of the way there, but how many people will actually save or print out the file?
SMS confirmation is another mechanism, and one that is viable in most of the world, but has a different set of risks.
I think a combination of these are a good approach, but this is a really tough problem in the identity space, and if you have any suggestions on how to improve it in a way that is viable for a large user base, your feedback would be greatly appreciated!
How would I log in from a friend's computer with Persona? How about from an Internet cafe; how safe would it be?
Persona looks like something that lock's you into a certain device or at least makes it harder to log in on device's that are not your own.
I'd rather they made OpenID less scarry (to average Joe) instead.
Logging into a different device is not a problem, you just get a different certificate in that device's browser and it allows you to login in the same way.
When you use a computer that's not your own, Persona keeps the session time very small. Of course, when you're done using that computer, you should ideally clear cookies, just like you would if you used OpenID or Facebook on a shared computer.
Are there any good descriptions for how Persona works? I can find plenty of developer documentation on this site, but I can't seem to find a good, concise description of what parties are involved and what the protocol is, etc.
(Maybe I'm not looking deep enough? Anyway, thanks in advance.)
I just watched the video. So, apparently, the long-term goal is to have email providers to support this and sign user certificates. I'm still not clear on what information a certificate would contain.
More importantly, I really dislike the answer to second question from the audience. Even when the system is fully supported without fallbacks, hacking person's email account will grant the attacker ability to log into all websites as the victim?
I already am quite concerned with how much control over everyone's identities services like Gmail have. If I understand it correctly, Persona will give them more direct control over user's identities. It's only decentralized in a sense that different email providers will be able to implement it separately, and verify identities of their users.
I hope I'm missing something from the big picture here.
Persona does place a lot of power in the hands of email providers, but as Flimm points out, that's already the status quo. Persona doesn't make that any worse.
What's more, Persona can be used with any email provider, so users can control who they trust, or take that trust into their own hands. Because that trust relationship is more explicit, users are (as your post demonstrates) more likely to consider the implications of trusting a specific email provider, which is a good thing.
A world with better password reset policies is still a world with passwords, and leak after leak have shown that 1) it's hard to get every site to do the right thing, and 2) people use and re-use terrible passwords. Persona lets sites do the right thing by default (since there is no password to store), and it lets me as a user better control my own security.
> Even when the system is fully supported without fallbacks,
> hacking person's email account will grant the attacker
> ability to log into all websites as the victim?
With or without Persona/BrowserID, your email account(s) is the key for logging into a whole bunch of other Web services, since it is already used for resetting passwords and such. Persona/BrowserID does not solve this problem.
The big picture is that it makes distributed identity easy for the average user to grok.
> If I understand it correctly, Persona will give [identity services like Gmail] more direct control over user's identities.
No, Gmail already has that control. Almost every website out there allows you to reset your password by sending you an email. If you control the user's email, you can change their passwords. Persona changes nothing in this regard.
1. Right now, Gmail has only as much control over accounts as individual website developers give it. It's up to us to implement alternative password reset system and make them the default. Any website can (and in my opinion should) switch to something else at any time, because, firstly, password reset system is decoupled from core authentication mechanism and, secondly, it is under web developer's control. Mass adoption of Persona will change this problem from locally solvable to unsolvable. If this becomes the authentication standard (which seems to be the project's goal), you will have to trust user's email provider.
2. Right now, Gmail can reset your password, but it cannot silently authorize someone else to use your account without you knowing. It seems (and correct me if I'm wrong here), that with Persona such scenarios will become possible.
1. You're comparing Persona to an imaginary world where most websites don't rely on email providers to prove authentication. I'm comparing Persona with the actual situation where people use the same password everywhere. Persona isn't perfect, but it is much better than what the vast majority of websites use, and it allows even better methods to be implemented where needed. Furthermore, Persona is more usable, and therefore more attractive and more likely to be deployed widely.
2. Yes, it can. It can delete password reset notifications. If the notification contained the password in plain text, then there would be no easy way to find out whether Gmail logged in to your account on X. If the notification contained a password reset link, there is a possibility that the user would subsequently discover that their password was no longer accepted on X. But given that most users use the same password everywhere, Gmail already has a huge potential for evil, as it could just use the passwords it has already collected. Users that worry about Gmail can use an alternative email provider or their own, after all, email and Persona are both decentralised. Website developers that worry about Gmail can use other authentication methods on top of Persona, such as in-house two-factor authentication.
tldr; if Gmail is evil, both Persona and current systems can't stop it. If that worries you, use your own email server, and use other authentication methods on top of Persona on your websites.
You're comparing Persona to an imaginary world where most websites don't rely on email providers to prove authentication.
I'm comparing hypothetical mass-adoption of Persona with hypothetical mass-adoption of alternative password reset policy. It seems like a fair comparison.
Or another way to look at it is that you put the burden of choosing a responsible identity provider on the user. If the user chooses poorly they get owned, not you.
I really like the overall result of Persona when used for logging into a web site, but has anyone come up with a good way of integrating Persona login with mobile apps or APIs?
I suppose mobile apps would ideally use some sort of Persona login service provided by the underlying OS, and until such a thing exists I guess an app could reimplement all the user-agent logic and load the user's login page in a webview. But I have no idea how at all I would go about designing an API for a website which uses Persona for logins.
We don't have a good path for native apps, yet. There have been a few experiments using Persona in native iOS (Pancake) and Android (Soup) environments, and it apparently works great in PhoneGap apps, if you use the ChildBrowser plugin.
Other than the benefit of using strong crypto under the hood, I'm not sure what benefits this has over a system like openid. It has about the same level of interactional complexity, and at the additional cost of requiring browser support.
If we're going to have browser support anyway, I'd rather just use standard two-way SSL and put the work into developing better UI and private key distribution systems for it. It's even more secure and has a great user experience once you've set up the key in the browser and authorized it to the site.
Usability involves more than one target audience: it also has to be easy for developers to integrate.
BrowserID (Persona) took me minutes to implement. On a non-trivial project, it may take a couple hours. The beauty of this is the fact that it still works without built-in browser support. It's designed to be a forwards-compatible API that only becomes more usable with time.
Additionally, email is an excellent way to establish a user's identity, and the fact that it's designed around email makes it easy for a regular person to understand its authentication flow.
The problem with SSL is that it is an all-or-nothing technology. There's a chicken and egg problem: people won't make good UI for it until it's widely used, but people won't use it until it has a good UI. Persona provides an implementation of BrowserID that has a decent UI, and the user experience will only get better with time as more people use it. The chicken/egg problem is solved there, but two-way SSL right now is practically unusable for anyone who isn't very familiar with it (most people). Using an email address is very familiar, though.
I've forgone traditional auth in favor of Persona because there are just too many advantages. The user might already have an account, the flow is very good if they don't, it takes literally three minutes to integrate django-browserid (or whatever it's called now) versus skinning quite a few templates for all the login and reset forms, it saves the user from having to remember yet another password, etc etc.
I couldn't be happier with a signin solution. It even complements my legacy solution very well, you can see a demo at http://www.yourpane.com (click "Persona", never mind the email field.)
You're underestimating how familiar someone's email address is versus an OpenID URL whose significance the user doesn't know and whose use she can't grasp.
Agreed. URLs as an identifier are completely alien to non-technical folks. Even I think the notion is odd. They just don't make any sense. Plus they are hard to type correctly. Email addresses don't have these problems.
One of the reasons why we couldn't just "fix" OpenID is that we wanted a scheme that would be privacy-sensitive.
With OpenID, the result of the site redirecting you to the IdP (and then the IdP redirecting you back to the site) is that the IdP can get a trail of every website you're trying to log into. That's pretty fundamental to the way OpenID is designed.
Does persona reveal your email address to the website that you login to?
OpenID usually doesn't reveal your email address.
For example, when logging in to Google via OpenID, google will only send back a unique identifier that means 'yes, the user has a google account' but no other personal information. Yahoo does the same.
(of course, it's possible to use OpenID extensions to get a user's email at their discretion)
Yes, Persona does reveal your email address to the website you log in to. This is considered a feature, because:
1. It prevents lock-in to Persona. (If you want to migrate away from Persona, you can just send the users an email and introduce the new authentication mechanism.)
2. Most websites will need some way to contact the user, and will ask for their email address any way.
3. Users understand the concept of email addresses as identifiers.
If you care about keeping your email address private, you can always use the features your email provider offers such as forwarding email addresses.
Has there been any writeup that explains the potential impact of Persona on privacy? Not just the impact when used as intended, but also any unintended effects?