Hi, all,
I talked about Persona at DevCon5 in New York last week. Many of the attendants are mobile app developers who still rely on native or hybrid frameworks, so I tried especially to show Persona on mobile/native.
Few people in the audience had heard of Persona. I think there were about 60 or 70 people in attendance.
My slides can be converted to an html presentation with deck.js using m2d:
https://github.com/jedp/devcon5-2013
I demonstrated and discussed:
- persona on desktop
- persona on mobile (incl firefoxos)
- sign-in flow on
sloblog.io
- problems with passwords today
- the persona sign-in flow
- why we use email addresses
- benefits for users
- benefits for developers
- complete client code for an RP
- complete server code for an RP
- security considerations
- customization and branding for RPs
- live-coding demo of adding persona to an app
- the protocol enacted by members of the audience
(last time i did this i used stuffed animals)
(non-plush, live actors are better because they ask more questions)
- IdP examples
- The IdP API and how to become and IDP
- LDAP integration
- Native embedding recipe
Questions from the audience included:
- Details of the protocol - how can the RP really trust this?
- What if I log in to a site using different emails? How do they know they're all "me"?
- How does this compare to signing in with Facebook?
- How could I use this as a simple sign-in to enable comments on my site?
- What happens if my email account is compromised?
Anecdotally, I can confirm what others have been saying - that "Sign in using email" is better than "Sign in with Persona".
People responded very positively to the idea that they don't have to store passwords.
Some RPs were quite positive about *not* having to use twitter or facebook auth. They *don't* want access to people's social graph and histories, which they view as a liability akin to storing passwords.
When I demonstrated writing an IdP, I showed shane's
sendmypin.org, which SMSs a PIN, and my
gno.mn, which uses the yubikey. Interestingly, the black hats in the audience who profess a strong dislike of sign-in-everywhere systems were enthusiastic that they could use a yubikey and a phone pin as the basis for authentication. So the black hats were won over. Finally, some users who care about security! ;)
Unrelated, the Q&A questions at the close of the conference turned to debugging node.js apps and tracking down memory leaks. I pointed out node-inspector (
https://github.com/node-inspector/node-inspector) and node-memwatch (
https://github.com/lloyd/node-memwatch), both of which were already familiar to and used by some of the other panelists and members of the audience. w00t :)
Cheers
j