|
|
Subscribe / Log in / New account

The final act for Mozilla's Persona

By Nathan Willis
January 13, 2016

Mozilla has announced that it will close down its Persona.org identity service in November 2016. The browser maker stopped developing the Persona software in 2014, citing low adoption, but has maintained Persona.org as a public service. With the announcement that the service will be discontinued, the question arose as to whether or not the software could survive as an independent, community-driven project. Questions also arose as to why Persona failed to take off, and whether Mozilla should have managed the project differently.

Persona is a sign-in system for web sites in which the responsibility for authenticating a user login attempt is handed to an email provider. In theory, the user enters only their email address (e.g., user@example.com) on the web site; that site then performs a handshake with a process running on the domain portion of the email address (example.com). The user proves to the mail server that the address is theirs by logging into their email account, at which point the email server returns a token to the web site that concludes the authentication process.

The scheme offers potential benefits to a number of parties. The site owner does not have to implement a login system from scratch and is able get by with storing only the user's email address (which, in addition to being simple, prevents lock-in). The user can re-use their email address on any number of sites without having to create new accounts (and passwords) for every site. The whole process could be decentralized; users and site maintainers could therefore stop handing authentication over to the big proprietary social-media networks.

But theory rarely lives up to reality, and Mozilla found it difficult to persuade email providers to run the mail-server side of the authentication service. The Persona.org site was created as a stop-gap; if a user's email provider did not natively support the Persona authentication scheme, the user could verify that they had access to the email address through Persona.org. The Persona.org authentication flow, though, was not part of the Persona scheme itself. Instead, the Persona.org server worked by sending an email containing a challenge to the user's address. Clicking on the link inside the email verified that the user had access, at which point Persona.org completed the login transaction with the originating web site.

Disconnect

Sadly, because Mozilla never succeeded in convincing major email services to implement their own Persona authentication service, Persona itself became a scheme that relied almost entirely on the Persona.org site—which undercut the goal of making Persona a decentralized protocol. As a result, Persona.org was just one of many third-party authentication options—and a much smaller one than Facebook, Google, Twitter, and the like.

By March 2014, Mozilla decided that the writing was on the wall: without email-provider support, there was not sufficient interest in adding Persona support among web-site proprietors either. That made Persona unlikely to make a meaningful dent in the login-service space dominated by the social-media companies. So Mozilla stopped working on the code (or, as the official announcement put it, "transitioned Persona to community ownership") and moved the Persona developers over to work on a revamped Firefox Sync. But Persona.org remained active even after development wound down.

The Persona.org shutdown announcement was sent out on January 12 by Mozilla's Ryan Kelly. According to Kelly, the Persona.org site will finally be decommissioned on November 30, 2016. Afterward, Mozilla will destroy all user data stored on the servers, and will retain the persona.org domain name indefinitely, but with no services running on it (presumably to prevent a malicious third party from taking control of the domain and hijacking any lingering Persona transactions). Between now and then, Mozilla will continue to apply security updates to the Persona.org servers and will keep the mailing-list and IRC support channels functioning as normal.

The announcement says that the decision to shutter the service was due to "low, declining usage", but Mozilla has still published a transition guide to help the remaining users migrate their sites to a new authentication provider before the shutdown occurs.

The suggested replacement systems include the rather obvious options of using another identity provider (like Google or Facebook) or self-hosting an authentication system. But the suggestions also point out that there are other authentication systems that, like Persona, rely solely on the user's email address to establish their identity. For example, there is Passwordless, a Node.js middleware that emails per-session login tokens to the user's address—much like the authentication flow of the Persona.org site.

The adoption problem

No doubt Persona has far fewer adopters than the Facebook or Google authentication systems, but some in the development community contend that Mozilla failed to give Persona enough time to grow a user base. In December 2015, Stavros Korokithakis criticized the short amount of time that the Persona team was given to develop and deploy the system—a little under two years:

No one can be expected to revolutionize authentication in two years! What one can do in two years is try to discover whether it’s possible to create fully private, decentralized authentication. Not only did the Persona team demonstrate that such a thing is possible, they brought a mature product implementing the protocol to market! I doubt Google would have done any better.

Along the way, he quotes Persona developer Dan Callahan, who reported that the team was taken by surprise by requests to show adoption numbers:

We thought we had more time to experiment with the core protocol and product design, but with Mozilla Labs' somewhat sudden dissolution, we were unexpectedly asked to demonstrate traction and commercial adoption that simply wasn't there.

The need to give a new protocol adequate time to gain acceptance was a theme raised in the Hacker News (HN) discussion thread about the November-shutdown news. Jan Wrobel noted that:

Core open protocols behind the Internet that we have today took years of development and refinements. It seems that in the current model, where projects are expected to be widely adopted within a short period of time, the development of such protocols is hindered.

Others lamented the fact that Mozilla did not make a concerted push to have Persona established as a formal specification or the fact that the client side of Persona in Firefox was implemented in a JavaScript shim rather than natively in the browser. For many, however, the situation was similar to the one seen with OpenID: large web service providers have a vested interest in running their own centralized identity solutions, and without a large userbase to rival Google or Facebook's, any authentication scheme promoted by a small non-profit organization stands little chance of success.

Persons of interest

Mozilla's shutdown does not necessarily spell the end for the underlying Persona concept, of course. When news of the shutdown broke, Korokithakis was among those in the HN thread who advocated taking the Persona code and developing it further. The interested parties eventually pooled their resources and formed a GitHub group named Let's Auth. The group has put together a roadmap, which notes a desire to not have a single point of failure akin to Persona.org as well as the importance of implementing native browser support. The roadmap also highlights the importance of getting an existing web-framework project (such as WordPress or Rails) on board.

The plan seems to be a move away from directly picking up where Persona development left off and, instead, stripping the idea down to basics and reimplementing what is necessary. It may be a wise choice; Callahan weighed in on the revival effort, saying that "I'd strongly suggest learning from Persona's design rather than directly re-hosting the code."

In its own post-mortem analysis, Mozilla noted many of the same issues raised in the HN thread and by the Let's Auth project. It also pointed out that Persona suffered feature creep, implementing session-management and attribute-exchange features that distracted from the the core authentication function. If the attempt to reboot Persona outside of Mozilla takes those lessons to heart, perhaps there is still a future for the project's decentralized authentication concept.

Good intentions and lessons learned do not guarantee that a revival effort will succeed, but it is nice to see interest in evolving the concept of Persona further. As several people have pointed out, one lingering gift that Persona gave to web developers was a simple exit strategy. All of the site maintainers abandoned by the Persona.org shutdown will still have their users' email addresses, so they can easily move to a new authentication solution. Such would not be the case had they chosen instead to delegate authentication to a proprietary web-service provider.

to post comments

The final act for Mozilla's Persona

Posted Jan 14, 2016 6:31 UTC (Thu) by salimma (subscriber, #34460) [Link]

Cooperating with projects like Dark Mail could be an option. Both are in favor of privacy-preserving decentralized systems, so I could not see why Dark Mail servers shouldn't also provide authentication services of the kind Persona envisaged.

The final act for Mozilla's Persona

Posted Jan 14, 2016 10:59 UTC (Thu) by nelljerram (subscriber, #12005) [Link]

Wonderfully clear, thank you!

The final act for Mozilla's Persona

Posted Jan 14, 2016 15:31 UTC (Thu) by davidstrauss (guest, #85867) [Link]

From the linked postmortem:
> Persona should be built natively into Firefox, Fennec and Firefox OS

Firefox OS (now discontinued as well) didn't even allow me to sign Firefox into Firefox Sync the typical way. So, they were two steps away from integration with Persona there. Mozilla has got to start thinking of its products as an ecosystem -- even if it's a privacy and FOSS-based distributed one.

The final act for Mozilla's Persona

Posted Jan 14, 2016 16:44 UTC (Thu) by wookey (guest, #5501) [Link] (5 responses)

I badly don't want to use google/facebook/twitter centralised login. I use openID currently and am sad to see it slowly disappearing rather than taking over the world. I didn't even know about persona. I'd actually prefer to host my own, but I never worked out how to do this for openID, which seemed a major failing (you still end up depending on a 3rd party). Can I just apt-get install persona-auth + configure and be independent? That's what I want. It does seem that 90% of the world is uninterested in not being tracked so just uses facebook/twitter/google logins everywhere. They probably don't realise that they could have a choice.

The final act for Mozilla's Persona

Posted Jan 14, 2016 19:05 UTC (Thu) by sorpigal (guest, #36106) [Link] (3 responses)

If you've never heard of Persona you might also not be aware of webfinger (and webfist), but you'd probably be interested.

> I use openID currently and am sad to see it slowly disappearing rather than taking over the world

Same story here. OpenID is exactly what I want, its only downside is the user-unfriendly part where most people don't want their IDs to be URLs.

> I'd actually prefer to host my own, but I never worked out how to do this for openID, which seemed a major failing (you still end up depending on a 3rd party). Can I just apt-get install persona-auth + configure and be independent? That's what I want.

I had the same problem. Initially I worked around it by using the myopenid.com service which used some DNS trickery to allow me to use my own domain with their hosted openID implementation. This worked until they shut the service down. Now I proxy through stackexchange, using my same URL, because I am still not able to apt-get install self-hosted-openid configure and go (please correct me if something like this exists). I depend on a third party but in theory if they all go away I can still host it myself.

People implementing decentralized auth have a ready-made audience amongst users of Linux distributions: our ideals and goals follow similar lines, on the Linux side we're not afraid to run our own servers and install our own software. I just get lost in the midst of the description of relying parties and whatnot. I like to think that if I have trouble most people will, too. I want decentralized auth, I have my own domain and my own servers, I run Debian. This should be easy, but it's not.

From the article:

> Sadly, because Mozilla never succeeded in convincing major email services to implement their own Persona authentication service, Persona itself became a scheme that relied almost entirely on the Persona.org site—which undercut the goal of making Persona a decentralized protocol.

Sounds like StatusNet all over again. A federated system is created but most people only want to use the service as a way to escape corporate lock in, not host it themselves. Is it because it's too hard to set up?

The final act for Mozilla's Persona

Posted Jan 15, 2016 1:28 UTC (Fri) by flussence (guest, #85566) [Link] (1 responses)

> I am still not able to apt-get install self-hosted-openid configure and go (please correct me if something like this exists).

I used to use something that fit this description, self-contained PHP code, but unfortunately it seems to be six feet under: http://siege.org/phpmyid.php

The final act for Mozilla's Persona

Posted Jan 21, 2016 4:06 UTC (Thu) by ssokolow (guest, #94568) [Link]

SimpleID is probably the closest thing to what you're looking (PHP-based, no database requirement) for and I use it to self-host my own OpenID.

http://simpleid.koinic.net/

The final act for Mozilla's Persona

Posted Jan 18, 2016 4:09 UTC (Mon) by TRS-80 (guest, #1804) [Link]

apt-get install lemonldap-ng

The final act for Mozilla's Persona

Posted Jan 16, 2016 17:02 UTC (Sat) by JanC_ (guest, #34940) [Link]

It doesn't have to be "apt-get install" & done, but it should certainly be stable & secure. If it takes some time to configure before it works like I want then that's okay (provided it's properly documented), but I don't want to have to do frequent/emergency maintenance after that…

The final act for Mozilla's Persona

Posted Jan 18, 2016 16:10 UTC (Mon) by gerv (guest, #3376) [Link]

I don't think Persona ever did much attribute exchange, but I'd disagree that this is a distraction from the main purpose. On the contrary, IMO it's one of the big reasons it failed.

If you are a website owner, implementing Facebook login tells you loads about your users. This information is really useful and valuable. What incentive do you have to implement a login system which not only doesn't do that, but has no _way_ of doing that? Privacy says that the design of a good system would have opt-in info sharing rather than automatic, which makes it a bit less attractive from a site owner perspective, but Persona didn't even have that.

Maybe now that the NIH is over ...

Posted Jan 19, 2016 13:40 UTC (Tue) by jwildebo (guest, #38479) [Link]

... the persona people and users might be willing to work on implementations of the W3C standard webid that predates Persona and could really use some more love.

http://www.w3.org/2005/Incubator/webid/spec/

Jan


Copyright © 2016, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds