seanmonstar

Mar 11 2014

Persona is dead, long live Persona

The transition period was really tough for me. It felt like we were killing Persona. But more like tying a rope around it and dragging it behind us as we road tripped to Firefox OS Land. I first argued against this. Then, eventually I said let’s at least be humane, and take off the rope, and put a slug in its head. Like an Angel of Death. That didn’t happen either. The end result is one where Persona fights on.

Persona is free open source software, and has built up a community who agree that decentralized authentication is needed o the Internet. I still think Persona is the best answer in that field, and the closest to becoming the answer. And it’s not going away. We’re asking that the Internet help us make the Internet better.

Firefox Accounts

In the meantime I’ll be working on our Firefox Accounts system, which understandably could not rely entirely on Persona1. We need to keep Firefox competitive, since it’s what pays for us to do all the other awesomizing we do. Plus, as the Internet becomes more mobile and more multi-device, we need to make sure there is an alternative that puts users first. A goal of Firefox Accounts is to be pluggable, and to integrate with other services on the Web. Why should your OS demand you use their siloed services? If you want to use Box instead of iCloud, we want you to use it.

How does this affect Persona? We’re actually using browserid assertions within our account system, since it’s a solved problem that works well. We’ll need to work on a way to get all sorts of services working with your FxAccount, and it might include proliferating browserid assertions everywhere2. As we learn, and grow the service so that millions of Firefox users have accounts, we can explore easing them into easily and automatically being Persona users. This solves part of the chicken-egg problem of Persona, by having millions of users ready to go.

I’d definitely rather this have ended up differently, but I can also think of far worse endings. The upside is, Persona still exists, and could take off more so with the help of Firefox. Persona is dead, long live Persona!


  1. Sync needs a “secret” to encrypt your data before it’s sent to our servers. The easiest solution for users is to provide us a password, and we’ll stretch that and make a secret out of it (so, we don’t actually know your password). Persona doesn’t give us passwords, so we can’t use it. 

  2. Where “browserid” assertions are accepted, Persona support can also be found. 

Nov 5 2013

client-sessions v0.4.0

We released v0.4.0 of client-sessions today, despite all the npm bumpiness. Here’s the changelog:

  • add activeDuration with default to 5 minutes
  • add checking for native Proxy before using node-proxy
  • add cookie.ephemeral option, default false
  • add constant-time check
  • adds self-aware check. wont override req.session if already exists
  • fix wrong handled of utf8 replacement character
  • fix http expiry of cookie to match duration
  • fix updating cookie expiry whenever duration/createdAt changes
Aug 8 2013

Gmail Bridge for Persona

Since shifting to the Identity team last year, I’ve been working hard on making Persona a true solution to the login problem of the web. As I said then:

If we do our job right, eventually when my friends ask me what I do, I can say: I helped make it so you no longer need to use passwords everywhere. I helped make your online identity more secure. I helped make signing into the Internet awesomer.

We’re getting closer.

What is the Gmail Bridge?

Today, we’re announcing to the world that our Gmail Identity Bridge is online. Excuse me. What? No, I’m fine. It’s alright, it’s actually quite simple.

The way Persona normally works, after checking to see if your email provider natively supports the protocol, is that Persona will fallback to what we call a secondary provider. This is the point where most users end up creating a password for Persona, and then going to their email to verify to us that they really own their email address. If the email provider did support the protocol, they would get sent over to them to authenticate, and we’d step out of the way.

So, we made an Identity Bridge that we host, and uses Google’s OpenID endpoint to verify the user. The experience is pretty much exactly what it should feel like if there was native support from Google.

Why this matters

With both Gmail and Yahoo bridges online, over half of all users are just a couple clicks away from logging in with Persona.

So how does this affect you? If you have a website that has user accounts, you can switch to using Persona as your authentication system. In most cases, it should be a better experience for your users, and easier for you.

If you don’t have a website, you can still help. Find a website you log in to frequently, and ask them to implement Persona. Tell them about this new bridging. Push for the change.

Soon, everyone will notice: we made signing into the Internet awesomer.

Apr 10 2013
Mar 28 2013
Feb 14 2013

What we know for sure is this: monocultures always make more & faster progress in the near term when they’re stewarded by strong, vibrant leaders. But over time you get stuck. Companies change, sensibilities change. And then you’ve got all the technology, and all talent, and all of the best thinkers, all trapped on one technology stack.

John Lilly on everyone switching to WebKit
Page 1 of 4