Persona: more privacy, better security while making developers and users happy!

Tristan Nitot

2

In the spirit of showing what’s (and who) is beyond the code that powers Mozilla technology, I’m interviewing Lloyd Hilaiel, a Mozilla employee working remotely from Denver, Colorado. Lloyd, can you introduce yourself quickly?

Lloyd Hilaiel – I’m Lloyd Hilaiel, the technical lead for Mozilla Persona. I build software that matters with people who care.

Tristan Nitot – For those of us who don’t know what is Persona, can you tell which problem are we trying to solve?

Lloyd – The problem we’re trying to solve is that passwords are terrible. They’re hard to remember, hard to type (especially on your phone), and given user behaviors – they don’t provide nearly as much security as people expect.

Persona is an answer to this problem: an open authentication system for the web that when fully realized will make it so users can safely use the same email address and password to log into all the sites they care about.

Tristan – Why should users care?

Lloyd – Users should care because they’re going to be able to log into websites with just a few clicks, and they are going to spend less time agonizing over frustrating password reset processes.

As people use more and more online tools, the tradition of per-site passwords becomes more and more hostile to users. With Persona, we want to change this. We want people to be able to worry less about privacy and security, and get more of it.

Tristan – Why should developers care?

Lloyd – When developers choose Persona for authentication, they basically get three things:

  • A great user experience because the sign-in flow is streamlined.
  • They don’t have to maintain all the code that does email verification, password handling nor password reset. This means more time to focus on actual features!
  • They don’t have to handle a user’s password, so there is less risk for users is the server gets compromised.

In short, developers get a better sign-in flow, less development time, and reduced risk. There’s much more detailed information about Beta 2 for developers in the Mozilla Hacks blog, which also helps you get started implementing persona.

Tristan – Please allow me to play devil’s advocate for a a second: why is Mozilla one of the few organizations to do this kind of thing? Why not Facebook or Twitter?

Lloyd – Facebook and Twitter have staggering user populations and have made types of communication and even social movements possible that are inspiring. Both, however, are businesses who’s success criteria is related to the number of users they have and the level of engagement of these users.

So while Facebook and Twitter already have “one click sign-on” solutions available that allow massive convenience, they’re very tightly coupled with the core purpose of these platforms: social interaction. Facebook and Twitter sign-in conflate the act of signing into a website with sharing access to your social network, and often granting the site permission to publish on your behalf. Sometimes this is what a user wants, but far too often it’s absolutely not. People get really upset when advertisements or high scores are broadcast to their friends unexpectedly. The final problem with these existing solutions is that are built in such a way that social providers have full visibility into a user’s browsing behavior, and improving the privacy of social sign-in is a really hard problem.

The solution is to decouple sign-in and permission-to-publish. We should make them distinct user interactions with distinct language and branding. This simple change allows people to express their desires clearly and naturally.

Tristan – Yes, but why Mozilla?

Lloyd – Mozilla is in a position to fix this because our goals resonate deeply with the privacy, security, and convenience of Persona as a solution to the problem of sign-in on the web. Further, we’re willing to invest heavily in a project that will pay us back not monetarily, but in the form of a meaningful improvement in the Internet as a global public resource.

While this may sound lofty and unbelievable, let’s explore it by digging into how Persona works: it is designed from the ground up to be federated and distributed. Practically speaking, that means once we are successful, Mozilla itself will not actually be running a centralized service. Browser vendors will build the client pieces, websites and email providers the server bits, and Mozilla will be almost completely out of the sign-in transaction (firefox, of course, in all of it’s flavors will have a native implementation of Persona which is the client component of sign-in).

Making this kind of investment to bootstrap a fully distributed protocol that is imbued with our values, a project whose success is defined by it gaining a life of it’s own and being an asset of the internet community at large rather than just Mozilla, and having the support and trust of the community to do so responsibly, is not something that anyone else can do. This is a Mozilla thing.

Tristan – Where are we in its development, what have we done so far, what’s the timeline?

Lloyd – Persona right now is ready for anyone to use at any scale. The system is highly available, and we’ve got enough users right now that we treat the service as stable – this affects how we grow the feature set, weigh the priority of bugs, respond to outages, and interact with our users.

In terms of feature set, we’ve now got a first time user experience that is great – It’s really on par or better than what you might find on a website with a traditional login system.

Tristan – What makes you excited about Persona?

Lloyd – I’m personally excited about the project because I think we’re solving a meaningful problem. I’ve heard so many stories of people frustrated with passwords, I’ve seen lots of user research that supports this, and I’m personally affected several times a month. People really have a visceral reaction when you tell them you’re going to get rid of passwords and make sign in better. People want this.

The other thing that has me excited is the size and quality of the community supporting persona. Mozilla volunteers are the reason we support over 30 languages. Early adopters have been so supportive, and have given us amazing feedback and contributions.

I consider myself privileged to work with a worldwide community of people who contribute to the project simply because they think it’s important, and it makes every week exciting.

Tristan – I agree, Mozilla’s community is fantastic! Can you tell me what are the latest Persona news? Why is it exciting?

Lloyd – We just launched Beta 2! This is huge for Persona and includes a feature called “identity bridging” – We’ve made it so the hundreds of millions of users out there with yahoo.com email addresses can use an existing email and password to log into websites. In the coming months we’re going to roll out support for other popular Webmail providers.

This means a user who’s never used a site before, and never used persona before, can log-in in seconds.

Tristan – Now, what’s next for Persona?

Lloyd – In the coming months we’re planning for improved browser support, interaction refinements, and performance improvements that I think are really going to tip the scales. Additionally this year native persona support be available to people who use Firefox OS based phones and will land in desktop and mobile Firefox – which will further streamline the sign-in experience and result in a massive number of users who are familiar with the system.

Related to Beta 2, we’re going to extend Identity Bridging support to include a couple more major email providers to make it so half of the worldwide Internet population can sign in via Persona with their existing email and password.

Beyond from these concrete plans, the near future is all about listening to users and developers. Through this we’ll make the sign-in experience even better and further reduce developer friction to integrate Persona in any environment.

Tristan – Lloyd, thank you very much for your time. We’re all wishing the best to Persona!

2 responses

  1. sushubh wrote on ::

    https://hacks.mozilla.org/2013/04/persona-2-beta-launch/ link is broken. :)

    https://hacks.mozilla.org/2013/04/persona-beta-2-launch/ is the correct one.

  2. Pingback from Mise à jour de Persona, le système d'authentification centralisée de Mozilla - Dépannage informatique on ::

    [...] un service similaire à OpenID qui permet la centralisation de vos divers mots de passe en ligne. La version bêta 2 a pour grande nouveauté de proposer l’authentification sur tous les sites compatibles via votre adresse Yahoo [...]