Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm really disappointed this doesn't authenticate against Persona. Supporting Persona in Firefox seems to be pretty slow coming, and this seems like a big blow against having that smoothly integrating it.


Some background about the relationship between Persona and Firefox Accounts:

https://wiki.mozilla.org/Identity/Firefox_Accounts

https://groups.google.com/d/msg/mozilla.mozillians/pv5VN2dNY...

tl;dr: it's coming, and this is an important engineering milestone on that path. I'm sure Lloyd and callahad will be chiming in with more details.

(Source: Mozilla employee, not on the Identity team)


Persona is an awesome way to verify email address ownership, but that's only part of what Sync and the Firefox Marketplace need. For instance, Sync needs a user-memorable password for client-side encryption, and Marketplace needs the ability to force users to re-authenticate before a purchase, which is only feasible in a centralized system. Then there are COPPA concerns: We don't want to build an age gate into Persona, but we need one on Sync and Marketplace. Firefox Accounts lets us do that once, up front, and be on our merry way.

Nevertheless, I'm hopeful that we'll integrate Persona into the Firefox Accounts workflow, but that's still only part of the problem that Firefox Accounts is trying to solve. :)

(Why wasn't it there at first? We were still working out protocol / data format details, and sticking with a known username/password system reduced the number of variables while reinventing Sync.)


Would seem to make sense to take a step back and look at what Persona and Accounts can/should be good at. Persona could/should be an awesome single sign on service that doesn't leak personal data all over the place and provides good security. Unfortunately it seems doomed to failure because the operating model chosen relies on competitive services to adopt it. In other words why would Google become an IdP for Persona when it competes with Google Sign On?

Firefox Accounts, in addition to Persona, could actually move the needle. If Mozilla would drop the idea that email providers should be IdP and instead step into the role themselves (like they kinda are with Accounts) this could all work.

More simply put why not do Persona as an SSO solution independent of email providers (Mozilla or a partner is the single IdP). Optionally attach data to that identity (several technical ways to do this) to hold more data such as that envisioned by Firefox Accounts (email, TOS acceptance, ...).


You do understand how it seems that this is just cannibalizing Persona and Persona will end up with none of the browser support it needs to fulfill its vision?


Sure, but isn't that the point? I mean, did that stop any of the other gatekeeper models?


It actually uses Persona inside, and it's an email-as-ID as well.

Also, this is a new occurrence of scrypt used in the wild.


That's not quite accurate; Firefox Accounts uses the BrowserID Protocol, of which Persona is an implementation. That is to say, it authenticates using BrowserID assertions, but does not directly tie in to Persona accounts. Yet.

https://developer.mozilla.org/Persona/Glossary


You mean it doesn't use Mozilla's bridge? Presumably, if you have your own IdP, it will use it, since it uses BrowserID.


yeah was wondering about that. very strange, should know better from Google, etc. about the value of the universal login.

I wanna love Mozilla (even bought a Firefox OS phone!) but this is pretty low-level.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: