1) If you have the appropriate setup in /.well-known/ via HTTPS, then authentication is through that key (specifically it accepts assertions signed by that public key).
2) If you don't, it falls back to a publicly-trusted Persona server, which at the moment is Mozilla (in theory it could be anything else, but Mozilla works well enough for now).
You get more control/security and more convenience if you do option 1 -- in particular, the way Mozilla implements option 2 is by doing the email-verification dance -- but both options work well enough.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds