Mozilla Persona



Benefits for LWN subscribers

The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

Persona

At first blush, PyCon doesn't seemlike quite the right venue for a talk on Mozilla's Persona webauthentication and identity system. Persona is not Python-specific at all, butgiven the number of web application and framework developers at theconference, it starts to become clear why Mozilla's Dan Callahan was there.Python also gave him the ability to do a live demo of adding Persona support to aFlask-based web site during thewell-attended talk.

BrowserID now appears to be called Mozilla Persona. I would suggest that this page be renamed. Jonathanmjefferies 14:16, 31 July 2012 (UTC). Support - It appear that they have changed their name, so the article should change too. Q Chris 15:05, 31 July 2012 (UTC) neutral - in my understanding Mozilla persona is the new 'commercial' name, but browserID remains as the.

Kill the password

In a nutshell, Persona is Mozilla's attempt to 'kill the password',Callahan said to applause. It is a simple, open system that is federatedand works cross-browser. Beyond that set of buzzwords, though, the ideafor Persona is that it 'works everywhere for everyone'.

For an example of using Persona, Callahan visited ting.com—a mobile phone service sitefrom Tucows—that has a login page supporting Persona.Clicking the 'Sign in with Persona' button popped up a window with two of his emailaddresses and a sign-in button. Since he had already used the site before, to log in hejust needed to choose one of his email addresses (if he is using a different addressfrom the last time he visited the site) and click 'Sign in'. It's 'dead simple', he said.

Mozilla persona themes

Persona ties identities to email addresses. That has several advantages,he said. Everyone already has an email address and sites often alreadytrack them. For many web sites, adding Persona support requires no changeto the database schema. That also helps prevent lock-in, as sites that decidenot to continue with Persona are not stuck with it.

Get Firefox, a free web browser backed by Mozilla, a non-profit dedicated to internet health and privacy. Available now on Windows, Mac, Linux, Android and iOS. Mozilla Persona is a cross-browser login system for the Web, that's easy to use and easy to deploy. It works on all major browsers, and you can get started today. Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation. Portions of this content are ©1998–2020 by individual mozilla.org contributors. Content available under.

Some in the audience might be saying 'I can already log in with twoclicks' using a password manager, Callahan said. That's true, but Personais not managing passwords. There is no shared secret between the site and the user.

That means a database breach at the site would not discloseany information that would be useful for an attacker to authenticate to theservice as the user. While site owners will need to alert their users to abreach, they won't have to ask them to change passwords. Better still,they won't have to recommend that the users change their identical passwords atother sites.

If there are no shared secrets, many of the existing account registrationquestions can simply be skipped. The Persona sign-in process provides anemail address, so there is no reason to prompt for that (twice in many cases), nor for a password(twice almost always). For example, with sloblog.io and an existing Persona, he canset up a blog with two clicks.

To prove a point, he was doing his demos from the Opera web browser.Persona works the same in all major browsers (Firefox, Chrome, Safari,IE). It uses existing technology and standards and 'works everywhere theweb works', he said.

1.8

Mozilla Personas Themes

The story behind Persona comes right out of the Mozilla Manifesto,Callahan said. That manifesto was 'written at the height of the browserwars' and lists ten points that are 'crucial to the open web'. Principle #2,'The Internet is a global public resource that must remain open andaccessible', is particularly threatened today, while principle #5,'Individuals must have the ability to shape their own experiences onthe Internet' speaks directly to the Persona ideal. Nothing is moreimportant to shape one's internet experience than is the choice ofidentity, he said.

'Single' sign-on

There has been a movement toward single sign-on (SSO) in recent years, but'single' is a misnomer at this point. Many sites allow people to sign inwith their Facebook or Twitter (or Google or Yahoo or MSN or ..) account.His slide had an example login with a bunch of login icons for thoseservices, ending with a 'Good luck with OpenID' button.

The problem with that approach is that it is like Tribbles (with a requisiteKirk and Tribbles slide); there are more and more of these service-basedlogin mechanisms appearing. How does a site pick the right one (or, morelikely, ones)? How does a user remember which of the choices theyused so they can use it on a subsequent visit?

He gave another example: the 500pxlogin screen. It splits the screen in half, into two sets of choices,either logging in via a social network (Facebook, Twitter, or Klout) on one side, or with ausername and password on the other. If a user wants to use a Google orMicrosoft login, they are out of luck. They must create a username andtrust that 500px will do the right thing with their password. He was alsoamused to note that he hadn't heard of Klout, so he visited to see what itwas and Klout wanted him to log in using either Facebook or Twitter.

There are also some implications of using the login network of certainservices. Google and Facebook have real-name policies that can sometimeslead to account suspension when a violation is suspected. That suspensionthen trickles out to any other services that use those login mechanisms.Facebook policies disallow multiple accounts (e.g. personal and business)as well. Basically, services using Facebook logins are outsourcing theiraccount policies to Facebook.

It is worth a lot of money for the social networks to get their buttonsonto sites, Callahan said. So 'any solution has to come from someone outside who is not tryingto make a buck off every login'. Since Mozilla is on the outside, it iswell positioned to help solve the problem.

The earlier Persona demonstrations were for email addresses that hadalready been set up, but Callahan also wanted to show what happens forusers who are not yet signed up. In that case, the user must type in anemail address in the Persona pop-up. Persona checks with the emailprovider to see if it supports Persona, if so the email provider authenticatesthe user via its normal mechanisms (e.g. web-based login) that the user has seenplenty of times before. If the user successfully authenticates, the email provider indicatesthat to the site.

Using Persona team members as props, Callahan showed the process. Theuser claims a particular email address and the site contacts the email provider for verification. The email provider asks the user to authenticate(using a password, two-factor authentication, facial recognition, ..) andif that is successful, the provider signs the email address and hands itback to the site (along with some anti-replay-attack data). The site then verifies thesignature, at which point it knows that the user has that email identity.

Implementing Persona

As can be seen, the description of the protocol and cryptography used wasrather high-level. Callahan's clear intent was to try to convince webapplication and framework programmers to get on board with Persona. Thereis more information about the underlying details at developer.mozilla.org/persona,he said.

For the moment, few email providers support Persona, so as an 'optionaltemporary' measure, sites can ask Mozilla to vouch for the email address.For example, Gmail does not support Persona (yet), but Mozilla can vouchfor Gmail users by way of a challenge email. Authenticating the emailaddress to Mozilla need only be done once. But that puts Mozilla in themiddle of each initial authentication right now; eventually the user's email providers will be serving that role.

The documentation lists four things that a site owner needs to do to usePersona. There is a JavaScript library to include in the loginpage, the login/logout buttons need 'onClick' attributes added, and thelibrary needs to be configured. The final piece of the puzzle is to addverification of the identity assertions (signed email addresses from theemail provider or Mozilla). That verification needs to be done in theserver-side code.

In the future, the hope is that browsers will natively support Persona, butfor now the JavaScript is needed. On the client side, it is 30 or so linesof JavaScript called from the login and logout paths. The server side is alittle more complicated, as assertions are cryptographically signed, but thatverification can be handed off to a service that Mozilla runs. The backend just posts some JSON to the Mozilla service and reads its response.Those changes take less than 40 lines to implement.

Mozilla Personalizar

Using the code directly from his slides, Callahan changed both client andserver sides of a demo application. That added the 'great user experience'of Persona logins. It also showed an 'amazing developer experience' in howeasy it is to add Persona. Once the demo was done, and the applause dieddown, Callahan said 'I am so glad that worked' with a relieved grin.

Connect to a computer remotely, be it from the other end of the office or halfway around the world. AnyDesk ensures secure and reliable remote desktop connections for IT. AnyDesk doesn’t need to be installed. Simply download the small 3MB file and immediately get started without registration. Your AnyDesk-ID will be generated by simply opening the file. The perfect remote desktop software for less tech-savvy users. The AnyDesk Remote Desktop Software for Windows remote desktops is adjusted to the latest Windows devices and is also compatible with earlier Windows versions. Fast Download and small file size AnyDesk for the Windows 10 Desktop has a light design, can be downloaded fast and secure, and you can start instantly to remote control Microsoft devices. Open anydesk.

Callahan had three tips for site developers adding Persona support. Thefirst was to make a library specific to the framework being used that canbe reused in multiple applications. Second, his example used the Mozillaverifier, but that is not a good long-term solution for privacy reasons. But, hecautioned, make sure to use the Python 'requests' library when doingverification as the standard library does not check SSL certificatesproperly. Lastly, he wanted to make it clear that using Persona did notmean that a site had to get rid of the other login buttons, 'just thatmaybe you should', he said. Persona can peacefully coexist with theseother login mechanisms.

Download

In conclusion, Callahan said he had a request: 'spend one hour with Personathis week'. You could add it to your site in an hour, he said, but if not,just try it out on some site.Persona is still in beta, so it is 'able to be shaped by your feedback'. Also, he requested, please ask one site thatyou use to support Persona, 'that's how we are going to change the future of theweb'. Persona will allow everyone—not just the few who understandOpenID or password managers—to have a safer, more secure web.

[ In keeping with Callahan's request, we will be looking into Personasupport for LWN. ]Mozilla personal security manager
Index entries for this article
SecurityAuthentication
SecurityIdentity management
ConferencePyCon/2013

(Log in to post comments)