Choose your identity providers (and thus email addresses) wisely. They should be filtering spam for you / letting you control things. And they shouldn't be doing it by forcing you into their silo, the way "login with Twitter" buttons work.
Actually, it's my biggest problem with Persona is that the source of my identity is not me, but some third party I have to trust.
I run my email addresses on my own (physically-owned) servers. I know various approaches to filtering spam, and the best one in my experience is to not have a littered inbox is to have a private non-dictionary per-service email address and not expose it anywhere else.
The only mandatory third party between me and the Internet is domain registrar, I lease my domain name from. Not trustworthy, but this is the best one could have while all authentication systems are tightly coupled with DNS.
I know that. It's just depending on domain name "ownership" (and even though it's called so, it's temporary lease, not purchase of property), in exactly the same way general audience depends on email account "ownership".
Except for the fact, if one's email account or the whole provider goes down, they should still be able to login with old-fashioned password credentials. With Persona, unless the site has a backup authentication method, they're out of luck.
This effectively means I've to stick with my domain name forever.
No, because Persona mediates, and Yahoo only knows that you're using your Yahoo identity with Persona, nothing more. That's a key privacy property of Persona.
However, if you use the "login with Yahoo" button (or Google or Facebook), then yes, they can track all of your activity.
To your second point: great question! No, the attacker cannot. We still protect your other email addresses with a Persona password.
Oh wait, I misread your point. Yes, the attacker can log into all Persona web sites if they know your Yahoo password. But that's the way the cookie crumbles with federated identity. It's the same thing if you pick a Yahoo email address as your recovery email. Pick your identity providers wisely!
Very good points, and we agree. We're going to bridge more Identity Providers. We're working on native implementations (though I suspect that those are less pressing than the other two angles.)
As for big web sites... we've got some things in the works. But that's where you and others on HN can help. If you like Persona, if you like the vision we have, then help us. Pick one site where you can implement it. Ditch social login, which users hate, and pick Persona instead.
As cliche as it might sound, I think I have to say this: Be the change you want to see in the Web. Help us make Persona, the one login system that respects users, truly successful.
To be fair, if you want to understand why something is supposedly secure, you will have to spend some time :)
Let's see if I can help.
Your identity is tied to your ability to prove that you own an email address. You can do that by clicking a confirmation link we send you. Or, as of Beta2 (today!), you can do that by having your domain implement the Persona Identity Provider API, where your domain publishes a public-key and issues certificates to you based on that public key, which you can then use to sign into web sites. Also as of today, we do that for Yahoo users by bridging to Yahoo OpenID, so basically Persona is an OpenID client to Yahoo, gets Yahoo to vouch for your email, and based on that issues you a Persona certificate (backed by our public key) for your email address.
But whatever way you go, it's about proving you own an email address and obtaining a certificate for it.
Yes, someone who has access to your browser can fake your identity if you don't lock your browser/OS, but that's nothing new. In fact, the simple password change is how we mitigate that. As soon as you change your password, we invalidate all sessions on all devices. Certificates last only a few hours, so they'll be disabled quickly too.
Let's see if I can help provide some answers here:
a) certificates are stored in localStorage for https://login.persona.org. They are very short-lived (hours), so that we don't have to deal with revocation, since that would likely be impossible on a per-user scale.
b) there's no way you can prevent an identity provider from misusing your identity. They're your identity provider. You chose them because you trust them to credential you and not let other folks impersonate you.
b') browser extensions already have full control over your life. That's something that should be addressed longer term, but Persona is not making this any worse.
b'') other entities cannot access the localStorage for login.persona.org, so that should be okay.
c) you're not just entering an email address. You're also proving you own it, for example by being logged into your Yahoo.com account, or by clicking the confirmation link we send you. What we're doing is minimizing the number of steps you have to take to prove you own an email address. But you still have to own it.
You should check out our documentation, which is quite thorough:
https://developer.mozilla.org/en-US/docs/persona
I think we've provided a lot of hard data and docs to back our claims, but we're happy to provide more, of course.
Every time you create an account at a new site, you're opening up a way to get hacked. Because, like most humans, you probably reuse passwords, or at least have password similarities. And many web sites tend not to have the resources to properly secure their user database.
So, accounts on every new site you visit is both inconvenient and slowly degrades your security.
You could switch to centralized identity silos, logging in with Facebook or Google everywhere you go. Now you've got the problem that these big companies are tracking your every move, enforcing "real-name" policies forcing you to unify all of your web activity into one account, etc.
Persona is the best of both worlds: convenience and reduced security exposure, plus your choice of identity wherever you go with much better privacy.
I think the criticism that we haven't made a strong enough point of why this makes the Web more secure is legitimate. We haven't made this point as well as I'd like.
I'll take that as inspiration for a future blog post. Thanks for pushing us, please continue to do so. We listen.
