Persona login UI suggestion

221 views
Skip to first unread message

Chris Peterson

unread,
Oct 23, 2015, 1:52:01 PM10/23/15
to
When I log into a Persona site, I'm always a little frustrated that
after clicking "next" button on the Persona login windows' email address
page, I must move my mouse one inch to the right to click the password
page's "sign in" button. It would be very convenient if the "sign in"
button was positioned "behind" as the "next" button so users could just
click-click without moving the mouse.

Perhaps this would be too convenient? Google's two-page login doesn't do
this. Their password page's "Password" field, not the "Sign In" button,
is positioned "behind" their email address page's "Next" button. I guess
that makes it easy for the user to click input focus to the "Password"
field (though the field already steals input focus, so it is redundant).

Edwin Wong

unread,
Nov 11, 2015, 4:48:37 PM11/11/15
to Chris Peterson, dev-identity
Defintely something to note for future UX designs... but Persona, the
service hosted by mozilla, is being decommissioned in late 2016.

*sad trombone*

-edwin

On Fri, Oct 23, 2015 at 10:51 AM, Chris Peterson <cpet...@mozilla.com>
wrote:
> _______________________________________________
> dev-identity mailing list
> dev-id...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-identity
>

Christopher Karlof

unread,
Nov 11, 2015, 7:19:34 PM11/11/15
to dev-identity, Sheila Mooney, Diane Tate
Hi all,

We haven't provided much visibility on our Persona plans in a while. Sorry
about that, and here's a brief update:

There are ongoing discussions within Mozilla about Persona's future. Due to
lack of adoption, one possibility involves decommissioning the service, but
no specific decisions have been made. We expect to make decisions during
the Mozilla all-hands meeting next month, and have a formal announcement
shortly thereafter. In the event that Persona *is* decommissioned, we will
provide *at least* 9 months of notice, so there are no actions that need to
be taken right now. Persona continues to be monitored and supported, though
there is still no new feature development.

-chris

Melvin Carvalho

unread,
Nov 11, 2015, 7:38:18 PM11/11/15
to Christopher Karlof, Sheila Mooney, Diane Tate, dev-identity
On 12 November 2015 at 01:19, Christopher Karlof <cka...@mozilla.com>
wrote:

> Hi all,
>
> We haven't provided much visibility on our Persona plans in a while. Sorry
> about that, and here's a brief update:
>
> There are ongoing discussions within Mozilla about Persona's future. Due to
> lack of adoption, one possibility involves decommissioning the service, but
> no specific decisions have been made. We expect to make decisions during
> the Mozilla all-hands meeting next month, and have a formal announcement
> shortly thereafter. In the event that Persona *is* decommissioned, we will
> provide *at least* 9 months of notice, so there are no actions that need to
> be taken right now. Persona continues to be monitored and supported, though
> there is still no new feature development.
>

Thanks for the update.

Looking on the bright side, identity in the cloud is quite a saturated
market.

I hope Mozilla can once again champion "Identity in the browser", which no
one has yet been able to tackle. Perhaps with new tools such as the Web
Crypto API and WebID, it could be a great opportunity to reboot the idea,
in a disruptive way.

I'm always inspired by a previous idea, that I consider the "holy grail" of
identity concepts

http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

I think people would flock to such a concept, if Mozilla was behind it.

Jan Wrobel

unread,
Nov 12, 2015, 6:49:05 AM11/12/15
to Christopher Karlof, Sheila Mooney, Diane Tate, dev-identity
Hi,

Can you share the numbers about the adoption (how many sites and users
use Persona)? I depend on Persona in production as the only
authentication option, and people are happy with it.

Kind regards,
Jan

On Thu, Nov 12, 2015 at 1:19 AM, Christopher Karlof <cka...@mozilla.com> wrote:
> Hi all,
>
> We haven't provided much visibility on our Persona plans in a while. Sorry
> about that, and here's a brief update:
>
> There are ongoing discussions within Mozilla about Persona's future. Due to
> lack of adoption, one possibility involves decommissioning the service, but
> no specific decisions have been made. We expect to make decisions during
> the Mozilla all-hands meeting next month, and have a formal announcement
> shortly thereafter. In the event that Persona *is* decommissioned, we will
> provide *at least* 9 months of notice, so there are no actions that need to
> be taken right now. Persona continues to be monitored and supported, though
> there is still no new feature development.
>

Christopher Karlof

unread,
Nov 12, 2015, 1:20:49 PM11/12/15
to Jan Wrobel, dev-identity
Hi Jan,

We plan on sharing some adoption numbers in the broader communication I
mentioned in my previous email.

-chris

Jesus Cea

unread,
Dec 4, 2015, 10:46:03 PM12/4/15
to dev-id...@lists.mozilla.org
On 12/11/15 12:49, Jan Wrobel wrote:
> Can you share the numbers about the adoption (how many sites and users
> use Persona)? I depend on Persona in production as the only
> authentication option, and people are happy with it.

I stopped deploying Persona in summer 2014, after a few email exchanges
that proved to me that: a) Mozilla was pretty clearly abandoning the
platform, and b) Persona design REQUIRES a trusted third party (Mozilla)
in order to work. By design.

Very sad decision, and I have lurking in the mailing list hoping that
wind would change...

Too bad.

--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
jc...@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:jc...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

signature.asc

Andrew Ducker

unread,
Dec 11, 2015, 4:13:07 AM12/11/15
to
On Saturday, 5 December 2015 03:46:03 UTC, Jesus Cea wrote:
> I stopped deploying Persona in summer 2014, after a few email exchanges
> that proved to me that: a) Mozilla was pretty clearly abandoning the
> platform, and b) Persona design REQUIRES a trusted third party (Mozilla)
> in order to work. By design.


Yeah - (b) there basically prevents any large third party from deploying it. No large internet presence is going to deploy a login system that passes everything through a third party. And without a large third party as an example it wasn't getting buy-in. It's a shame it never got there.

Andy

Randall Leeds

unread,
Dec 11, 2015, 12:21:42 PM12/11/15
to Andrew Ducker, dev-id...@lists.mozilla.org
Every popular social login passes through a third party and it really
doesn't seem to be a barrier.

Andrew Ducker

unread,
Dec 11, 2015, 12:25:24 PM12/11/15
to
On Friday, 11 December 2015 17:21:42 UTC, Randall Leeds wrote:
> Every popular social login passes through a third party and it really
> doesn't seem to be a barrier.


I can't see Google agreeing that every time you visit them it will go through Mozila. Or Facebook. Or Twitter. To get any of the big companies on board it needs to be properly decentralised, so that they don't have a dependency on a third party to validate every login. Otherwise it's more in their interests to do it themselves.

Richard S. Hall

unread,
Dec 11, 2015, 12:38:00 PM12/11/15
to dev-id...@lists.mozilla.org
Google et all would probably do whatever their customers demanded, but
the average person doesn't really care about identity management.

-> richard

Melvin Carvalho

unread,
Dec 11, 2015, 12:41:06 PM12/11/15
to Andrew Ducker, dev-id...@lists.mozilla.org
+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that everyone
thinks it's impossible!
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

Ryan Kelly

unread,
Dec 14, 2015, 11:43:01 PM12/14/15
to dev-id...@lists.mozilla.org
On 12/12/2015 09:49, Randall Leeds wrote:
>
> And yet, OAuth2 and OpenID Connected have received adoption and the flow is
> not dissimilar.
>
> I think this is more a case of a crowded space - where crowd means more
> than one solution - than that there are not willing identity providers.
>
> I still believe there is a reformulation of Persona wherein the assertion
> and certificate concatenation is embedded as a chain in a JWT. Persona is
> practically isomorphic to OIDC, as I read them.

We just got through an initial round of adding OIDC support to Firefox
Accounts, so I wanted to add a quick comment on two important ways that
it differs from Persona:

1) Authority delegation

Both OIDC and Persona generate "identity assertions" that can be
verified by the relier, but in OIDC the assertion must come directly
from the Identity Provider. Persona's assertions allow the IdP to
delegate assertion-generating authority to the browser (or the fallback
persona.org shim) rather than generating them directly.

2) Client registration

OIDC requires each relying website to register with each identity
provider, in order to establish e.g. the shared secret necessary to
complete a redirect-based OAuth flow. This is more-or-less required in
some form given (1), since the IdP and to deliver the assertion directly
to the relier.

OIDC does have a protocol for "dynamic client registration" but it
doesn't appear to be widely used in practice. Instead reliers must
register out-of-band with each IdP.

Taken together, the result is that your OpenID Connect IdP learns about
every relier to which you log in.

One of Persona's core design constraints was to provide privacy against
this sort of tracking. Unfortunately, in its current form Persona
relies on a centralized verifier service that that *does* learn such
information, and learns it regardless of your choice of IdP.

Perhaps OIDC could be extended to provide similar protections at some
point in the future? It would be an interesting design challenge.


Cheers,

Ryan

Dirkjan Ochtman

unread,
Dec 15, 2015, 7:19:44 AM12/15/15
to Ryan Kelly, dev-id...@lists.mozilla.org
On Tue, Dec 15, 2015 at 5:42 AM, Ryan Kelly <rfk...@mozilla.com> wrote:
> One of Persona's core design constraints was to provide privacy against
> this sort of tracking. Unfortunately, in its current form Persona
> relies on a centralized verifier service that that *does* learn such
> information, and learns it regardless of your choice of IdP.

Not sure I get this. IIRC, most Persona implementations rely on the
centralized verifier service, but it's not something that Persona
requires; it's possible to verify assertions locally.

Cheers,

Dirkjan
Message has been deleted

Ryan Kelly

unread,
Dec 15, 2015, 3:39:46 PM12/15/15
to Dirkjan Ochtman, dev-id...@lists.mozilla.org
In theory yes; in practice it's been strongly discouraged while waiting
for data formats etc to be finalized.

Don't get me wrong, I think this is a *great* feature of Persona's
design and a clear advantage over OIDC. But I also think that as
deployed today, most users are not getting the benefit of it in practice.


Cheers,

Ryan

Andrew Ducker

unread,
Dec 17, 2015, 10:28:07 AM12/17/15
to
On Tuesday, 15 December 2015 20:39:46 UTC, Ryan Kelly wrote:
> On 15/12/2015 23:19, Dirkjan Ochtman wrote:
> > On Tue, Dec 15, 2015 at 5:42 AM, Ryan Kelly <rfk...@mozilla.com> wrote:
> >> One of Persona's core design constraints was to provide privacy against
> >> this sort of tracking. Unfortunately, in its current form Persona
> >> relies on a centralized verifier service that that *does* learn such
> >> information, and learns it regardless of your choice of IdP.
> >
> > Not sure I get this. IIRC, most Persona implementations rely on the
> > centralized verifier service, but it's not something that Persona
> > requires; it's possible to verify assertions locally.
>
> In theory yes; in practice it's been strongly discouraged while waiting
> for data formats etc to be finalized.


Yes, this. This came up repeatedly on the group before. Waiting for Persona to stabilise the data formats so that local verification was the standard way forward, and also to move to the Goldilocks approach, so that it acted purely as a login provider (and didn't log you out all by itself), are two of the things that were sadly never completed.

Both of them would make Persona more generally adoptable, IMHO.

Incidentally, there was mention that after the all-hands there would be an announcement about Persona. Are we any closer to that?

Thanks,

Andy

Christopher Karlof

unread,
Dec 17, 2015, 12:47:44 PM12/17/15
to Andrew Ducker, dev-identity
Yes we are. We’re getting our ducks in a row internally, and the x-mas
holiday isn’t helping. :)

We’re planning a public announcement by Jan 11, 2016.

-chris





> Thanks,

Jesus Cea

unread,
Dec 20, 2015, 12:22:50 AM12/20/15
to dev-id...@lists.mozilla.org
On 11/12/15 18:40, Melvin Carvalho wrote:
> +1 to properly decentralized, a large % of the internet has been waiting
> for this for almost a decade. Ideally using PKI. Problem is that everyone
> thinks it's impossible!

OpenID did it quite a long time ago.
signature.asc

Melvin Carvalho

unread,
Dec 21, 2015, 4:16:39 AM12/21/15
to Jesus Cea, dev-id...@lists.mozilla.org
On 20 December 2015 at 06:22, Jesus Cea <jc...@jcea.es> wrote:

> On 11/12/15 18:40, Melvin Carvalho wrote:
> > +1 to properly decentralized, a large % of the internet has been waiting
> > for this for almost a decade. Ideally using PKI. Problem is that
> everyone
> > thinks it's impossible!
>
> OpenID did it quite a long time ago.
>

OpenID, OAuth and OpenID connect all go through a web service acting as a
trusted third party. Meaning that they know every time you login, or can
impersonate you. True PKI is a relationship between you and the service
provider.

We have a slightly strange situation where those services which are trusted
third parties are also big browser manufacturers, webmail providers, and
PRISM partners, so they have on incentive to provide such a service.

Mozilla may be a slight exception here, and therefore, offer a little hope.


>
> --
> Jesús Cea Avión _/_/ _/_/_/ _/_/_/
> jc...@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
> Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
> jabber / xmpp:jc...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
> "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
> "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
>
>

Randall Leeds

unread,
Dec 21, 2015, 4:20:56 AM12/21/15
to Melvin Carvalho, Jesus Cea, dev-id...@lists.mozilla.org
OIDC has self-issued providers, but a browser would have to implement it. I
think that it could act a lot like Persona were it used. If the claims
included a certified email address then the situation would be very much
like Persona, indeed.

On Mon, Dec 21, 2015, 01:16 Melvin Carvalho <melvinc...@gmail.com>
wrote:

> On 20 December 2015 at 06:22, Jesus Cea <jc...@jcea.es> wrote:
>
> > On 11/12/15 18:40, Melvin Carvalho wrote:
> > > +1 to properly decentralized, a large % of the internet has been
> waiting
> > > for this for almost a decade. Ideally using PKI. Problem is that
> > everyone
> > > thinks it's impossible!
> >
> > OpenID did it quite a long time ago.
> >
>
> OpenID, OAuth and OpenID connect all go through a web service acting as a
> trusted third party. Meaning that they know every time you login, or can
> impersonate you. True PKI is a relationship between you and the service
> provider.
>
> We have a slightly strange situation where those services which are trusted
> third parties are also big browser manufacturers, webmail providers, and
> PRISM partners, so they have on incentive to provide such a service.
>
> Mozilla may be a slight exception here, and therefore, offer a little hope.
>
>
> >
> > --
> > Jesús Cea Avión _/_/ _/_/_/ _/_/_/
> > jc...@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
> > Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
> > jabber / xmpp:jc...@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
> > "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
> > "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
> > "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> >
> >
Reply all
Reply to author
Forward
0 new messages