Usernames and passwords are a rather cumbersome way to establish your identity. Any seasoned internet user will tell you to never use the same password across multiple websites, and also to always keep complex hard to guess passwords. What that essentially boils down to is telling someone to remember an increasing array of complex sequences of letters, numbers and symbols; which, after a point is just not feasible.
Today an average internet user will likely be registered for several email, social media, and professional web services. Power users might have many more. A quick look at my password manager reveals that there are login details for over 600 websites stored in it. Would it really be feasible to remember all that?
Therein lies the charm of delegating logging in and registration to services such as Facebook, Twitter and Google. Through one account you can log into many more.
Well, since quite a while Mozilla has been working on a similar solution that will make remembering dozens of passwords a thing of the past. It started off years ago and was for some time known as BrowserID. Recently it was renamed to Mozilla Persona, and now it has finally reached its beta stage.
While the name “Persona” makes sense as a technology for a universal sign-in technology, it is also a little confusing. You see Mozilla already has a completely different product called Persona. Persona was Mozilla’s technology for lightweight Firefox themes. You can still browse a list of Personas at getpersonas.com and the feature is still available in Firefox, but is not called Themes.
Twitter, Facebook and Google have become popular near-universal solutions for logging into different websites. Many websites now let you sign up or log into their services without needing to remember yet another login ID and password. If you are already logged into Facebook, Twitter or Google, usually signing into these websites is very simple, and just a few clicks away. Often you can even sign up using these services, in which case you need not enter all your private details all over again.
While this is obviously convenient, it does have its share of flaws. First of all, if you don’t already have an account on one of these services, you are required to sign up for such an account. If you are trying to create an account with somewebsite.com, it implies you are willing to share some of your personal data with them (your name, your email ID, and possibly other details), however you might not be interested in sharing those details with yet another website just to get access to somewebsite.com. Signing up also requires you to agree to the terms and conditions for creating such an account, and continue to accept any changes they make to their terms and services. Your account on one website is at the mercy of another, and if your account is blocked for any reason, you could lose access to many sites. Or, if for some reason your country decides to block access to the service, you are locked out of any dependent services as well.
Additionally, websites such as Google and Facebook ask you to use your real name, which might not be to your liking. Each time you sign up to a service using a third party ID, the third party is obviously made aware of what all services you use. This might not be acceptable to you. In the end it is also important to know that right now Twitter, Facebook and Google all provide a free service, and in providing that free service they may have a vested interest in your personal data for targeted ADs. Now, we don’t mean to say that these services are misusing your data, just that they have the capacity to get access to it, and that can be worrying enough.
Of course it always possible for a website to give you the alternative to use their own registration and sign in process, and most do. However websites that rely solely on third-party login solutions are becoming more common.
So the advantage of a third party sign-in solution is that you do not need to remember your login ID and password for each website, and that you don’t need to fill in your personal details for each website you sign up for. This second advantage isn’t even used by all websites. What if there was a third party system that could give you the benefit of having a single authentication system that would give you access to many websites, without the excessive reliance on a third party and while giving away minimal amount of personal data.
This is what Mozilla Persona aims to be, an alternative that provides similar conveniences while removing many of the drawbacks. Mozilla Persona requires minimal personal data; all it needs is your email ID, and you can begin using it to log in to other websites. If the website you are signing up requires additional data, that information is separate from Persona.
Persona then fulfils two purposes, for the users it is a way of specifying their identification profile, similar to a ID badge. For those running a website, an email ID that is backed by persona is one that is verified to be real, since the user would have to verify it while signing up. The only ID the web service needs to know and get is the email ID, which is universal, and Persona will tell them if the user is who they claim to be.
Since a persona is locked to an email ID it is possible to have multiple different Personas for different websites, possibly even using different names, whereas with Facebook it is not possible—or more accurately not allowed by the guidelines—to create multiple accounts. If you need to sign in with a different account you need to sign out of the one you are already using.
Persona is also a decentralized system. You need not use Mozilla’s servers for authentication, you can run your own server or use a server by another party. It is open, just like email. It also works on all browsers, even mobiles; and is especially convenient on mobile where typing complex passwords can be painful.
Mozilla Persona itself is a Node.js based server that is open sourced in Mozilla fashion. A number of plug-ins are also available for integrating it in different CMSs and frameworks. For the end user, using Persona is simple enough. Once you have an account, all you do is click on a Persona-enabled sign-in button, enter your email ID and password in the Persona sign in window, and click a button to sign in. Not much different from any other system. If you are already signed in, you just click the sign in button, and verify that you want to sign in, and that will be all.
For developers, the process of using Persona isn’t that difficult. The developer needs to include a single JavaScript file, and include some JavaScript code. When a user clicks on the sign in button Persona handles getting the user’s credentials and verifying them, and it provides an “identity assertion”. This is a single-use value that is dependent on the user’s email ID, and the website being logged into. This assertion can then be tested for validity by checking with the Mozilla Persona verification service. If the assertion is valid, you have a successful login.
There is a lot more to know and understand about Mozilla Persona. A quick guide to setting it up on your own website can be found here, and more technical information is available at the Mozilla Developer Network. For more general information and to sign up, you can visit Mozilla’s new Persona.org website.
