Johannes Ernst took the time to evaluate Persona and wrote his thoughts entitled “Mozilla Persona: nicely made but who has the incentive to adopt it?”
The following is my personal take on (a small portion of) the Persona market strategy.
“Persona’s #1 selling feature is privacy.”
This was a guiding design principle, no doubt about it. It absolutely is not our #1 selling feature.
Our team wants to help mainstream users. Sadly, privacy (and security) aren’t their main concern.
Johannes makes some great points around Google’s use of OpenID, that losing information about where their users are going might be a negative in evaluating Persona.
Here’s the thing. Our team has focused on the following stakeholders:
- Websites – Relaying Parties (RP)
- Email providers – Identity Providers (IdP)
- Browser Vendors
- People using the web (Users)
For each of these, deep focus was put into the value proposition and finding the right balance in the technical details.
I’ve never been on such a large scale Open Source project that focused on User Centered Design, Marketing, and Security.
Let’s take IdPs which is Johannes’ main problem. If an IdP were to adopt Persona, they would get the following benefits:
- Organizations have the ability to control the security parameters for their domain
- Brand recognition on websites which use Persona.
- A SSO-like experience for enterprise, schools, and communities.
Without native IdP support, an organization that controls an SMTP routable domain name is subject to the email + password of the Persona fallback. They cannot add 2 factor auth. By running an IdP they can use Yubi-keys, RSA thumbdrives, or SMS verification… whatever.
Once they control the security, they would be more inclined to use Persona across their family of websites. This integration is much easier than traditional methods and lowers expenses.
The brand recognition comes by controlling the login screen. They get this today with OpenID and OAuth which I will call “Social Login” to simplify the argument. Social Login isn’t applicable to every RP.
We think that adding Facebook Connect filters out 15% of your new users. (We’d love to do a study and get reliable numbers here).
There is a long tail of websites which can’t use Social Login and will do authentication themselves. We think that Persona is viable for many of these websites. Thus a company can further spread their brand.
I agree with Johannes that Google won’t be the first large IdP. I don’t think that means Persona is irrelevant or destined to fail. Universities, email providers, and enterprise can improve their users security and smooth out login flows. Identity startups can start with a solid protocol and get Browser/Website integration for free.
The IdP is Only One Stakeholder
Those reasons are just some of the value propositions balanced against other factors during the design of Persona’s BrowserID protocol.
For RPs, there is a set. Here are a couple:
- No platform/vendor lockin (email based)
- Easy to implement (lower cost)
- Works across devices
- Improves security (DROP COLUMN password)
- Consistent sign in across the web
- Lower cost of authentication system (forgot your password, remove sending email for verification and forgot your password, etc)
Again this list is non exhaustive and I haven’t touched upon Browser Vendor or User value propositions which have been designed for.
I agree with Johannes that some businesses will avoid Persona early on. Perhaps they want a Facebook Connect sign in for extended profile information and social graph.
That is fine.
Persona can help a lot of people use the web in an easy to use and more secure manner. It doesn’t have to be everybody on day one
Johannes, you have a long history in this space. From meeting you, I know you care about user sovereignty (and many other important factors). Thanks for helping us find adoption problems with Persona.
Updated: linked to Serge Egelman’s paper. Thanks Francois!