Persona login UI suggestion

Defintely something to note for future UX designs... but Persona, the
service hosted by mozilla, is being decommissioned in late 2016.

*sad trombone*

-edwin

When I log into a Persona site, I'm always a little frustrated that after
clicking "next" button on the Persona login windows' email address page, I
must move my mouse one inch to the right to click the password page's "sign
in" button. It would be very convenient if the "sign in" button was
positioned "behind" as the "next" button so users could just click-click
without moving the mouse.
Perhaps this would be too convenient? Google's two-page login doesn't do
this. Their password page's "Password" field, not the "Sign In" button, is
positioned "behind" their email address page's "Next" button. I guess that
makes it easy for the user to click input focus to the "Password" field
(though the field already steals input focus, so it is redundant).
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Christopher Karlof

2015-11-12 00:19:29 UTC

Hi all,

We haven't provided much visibility on our Persona plans in a while. Sorry
about that, and here's a brief update:

There are ongoing discussions within Mozilla about Persona's future. Due to
lack of adoption, one possibility involves decommissioning the service, but
no specific decisions have been made. We expect to make decisions during
the Mozilla all-hands meeting next month, and have a formal announcement
shortly thereafter. In the event that Persona *is* decommissioned, we will
provide *at least* 9 months of notice, so there are no actions that need to
be taken right now. Persona continues to be monitored and supported, though
there is still no new feature development.

-chris

Post by Edwin Wong
Defintely something to note for future UX designs... but Persona, the
service hosted by mozilla, is being decommissioned in late 2016.
*sad trombone*
-edwin

When I log into a Persona site, I'm always a little frustrated that after
clicking "next" button on the Persona login windows' email address page,

must move my mouse one inch to the right to click the password page's

"sign

in" button. It would be very convenient if the "sign in" button was
positioned "behind" as the "next" button so users could just click-click
without moving the mouse.
Perhaps this would be too convenient? Google's two-page login doesn't do
this. Their password page's "Password" field, not the "Sign In" button,

positioned "behind" their email address page's "Next" button. I guess

that

makes it easy for the user to click input focus to the "Password" field
(though the field already steals input focus, so it is redundant).
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Jan Wrobel

2015-11-12 11:49:00 UTC

Hi,

Can you share the numbers about the adoption (how many sites and users
use Persona)? I depend on Persona in production as the only
authentication option, and people are happy with it.

Kind regards,
Jan

Post by Christopher Karlof
Hi all,
We haven't provided much visibility on our Persona plans in a while. Sorry
There are ongoing discussions within Mozilla about Persona's future. Due to
lack of adoption, one possibility involves decommissioning the service, but
no specific decisions have been made. We expect to make decisions during
the Mozilla all-hands meeting next month, and have a formal announcement
shortly thereafter. In the event that Persona *is* decommissioned, we will
provide *at least* 9 months of notice, so there are no actions that need to
be taken right now. Persona continues to be monitored and supported, though
there is still no new feature development.
-chris

Post by Edwin Wong
Defintely something to note for future UX designs... but Persona, the
service hosted by mozilla, is being decommissioned in late 2016.
*sad trombone*
-edwin

When I log into a Persona site, I'm always a little frustrated that after
clicking "next" button on the Persona login windows' email address page,

must move my mouse one inch to the right to click the password page's

"sign

positioned "behind" their email address page's "Next" button. I guess

that

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Christopher Karlof

2015-11-12 18:20:42 UTC

Hi Jan,

We plan on sharing some adoption numbers in the broader communication I
mentioned in my previous email.

-chris

Post by Jan Wrobel
Hi,
Can you share the numbers about the adoption (how many sites and users
use Persona)? I depend on Persona in production as the only
authentication option, and people are happy with it.
Kind regards,
Jan

Post by Christopher Karlof
Hi all,
We haven't provided much visibility on our Persona plans in a while.

Sorry

Post by Christopher Karlof
There are ongoing discussions within Mozilla about Persona's future. Due

Post by Christopher Karlof
lack of adoption, one possibility involves decommissioning the service,

but

Post by Christopher Karlof
no specific decisions have been made. We expect to make decisions during
the Mozilla all-hands meeting next month, and have a formal announcement
shortly thereafter. In the event that Persona *is* decommissioned, we

will

Post by Christopher Karlof
provide *at least* 9 months of notice, so there are no actions that need

Post by Christopher Karlof
be taken right now. Persona continues to be monitored and supported,

though

Post by Christopher Karlof
there is still no new feature development.
-chris

Post by Edwin Wong
Defintely something to note for future UX designs... but Persona, the
service hosted by mozilla, is being decommissioned in late 2016.
*sad trombone*
-edwin

Post by Chris Peterson
When I log into a Persona site, I'm always a little frustrated that

after

Post by Chris Peterson
clicking "next" button on the Persona login windows' email address

page,

Post by Edwin Wong
I

Post by Chris Peterson
must move my mouse one inch to the right to click the password page's

"sign

Post by Chris Peterson
in" button. It would be very convenient if the "sign in" button was
positioned "behind" as the "next" button so users could just

click-click

Post by Chris Peterson
without moving the mouse.
Perhaps this would be too convenient? Google's two-page login doesn't

Post by Chris Peterson
this. Their password page's "Password" field, not the "Sign In"

button,

Post by Edwin Wong
is

Post by Chris Peterson
positioned "behind" their email address page's "Next" button. I guess

that

Post by Chris Peterson
makes it easy for the user to click input focus to the "Password"

field

Post by Chris Peterson
(though the field already steals input focus, so it is redundant).
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Jesus Cea

2015-12-05 03:45:23 UTC

Post by Jan Wrobel
Can you share the numbers about the adoption (how many sites and users
use Persona)? I depend on Persona in production as the only
authentication option, and people are happy with it.

I stopped deploying Persona in summer 2014, after a few email exchanges
that proved to me that: a) Mozilla was pretty clearly abandoning the
platform, and b) Persona design REQUIRES a trusted third party (Mozilla)
in order to work. By design.

Very sad decision, and I have lurking in the mailing list hoping that
wind would change...

Too bad.

--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
***@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
Twitter: @jcea _/_/ _/_/ _/_/_/_/_/
jabber / xmpp:***@jabber.org _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

Andrew Ducker

2015-12-11 09:13:05 UTC

Post by Jesus Cea
I stopped deploying Persona in summer 2014, after a few email exchanges
that proved to me that: a) Mozilla was pretty clearly abandoning the
platform, and b) Persona design REQUIRES a trusted third party (Mozilla)
in order to work. By design.

Yeah - (b) there basically prevents any large third party from deploying it. No large internet presence is going to deploy a login system that passes everything through a third party. And without a large third party as an example it wasn't getting buy-in. It's a shame it never got there.

Andy

Randall Leeds

2015-12-11 17:21:22 UTC

Every popular social login passes through a third party and it really
doesn't seem to be a barrier.

Yeah - (b) there basically prevents any large third party from deploying
it. No large internet presence is going to deploy a login system that
passes everything through a third party. And without a large third party
as an example it wasn't getting buy-in. It's a shame it never got there.
Andy
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Andrew Ducker

2015-12-11 17:25:23 UTC

Post by Randall Leeds
Every popular social login passes through a third party and it really
doesn't seem to be a barrier.

I can't see Google agreeing that every time you visit them it will go through Mozila. Or Facebook. Or Twitter. To get any of the big companies on board it needs to be properly decentralised, so that they don't have a dependency on a third party to validate every login. Otherwise it's more in their interests to do it themselves.

Richard S. Hall

2015-12-11 17:37:50 UTC

Post by Randall Leeds
Every popular social login passes through a third party and it really
doesn't seem to be a barrier.

Google et all would probably do whatever their customers demanded, but
the average person doesn't really care about identity management.

-> richard

Post by Andrew Ducker
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Melvin Carvalho

2015-12-11 17:40:52 UTC

Post by Randall Leeds
Every popular social login passes through a third party and it really
doesn't seem to be a barrier.

I can't see Google agreeing that every time you visit them it will go
through Mozila. Or Facebook. Or Twitter. To get any of the big companies
on board it needs to be properly decentralised, so that they don't have a
dependency on a third party to validate every login. Otherwise it's more
in their interests to do it themselves.

+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that everyone
thinks it's impossible!

Post by Andrew Ducker
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Adrian Gropper

2015-12-11 17:43:15 UTC

Blockchain-based decentralized ID might be possible.

Post by Randall Leeds
Every popular social login passes through a third party and it really
doesn't seem to be a barrier.

I can't see Google agreeing that every time you visit them it will go
through Mozila. Or Facebook. Or Twitter. To get any of the big

companies

Post by Andrew Ducker
on board it needs to be properly decentralised, so that they don't have a
dependency on a third party to validate every login. Otherwise it's more
in their interests to do it themselves.

+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that everyone
thinks it's impossible!

Post by Andrew Ducker
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

--
Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

Randall Leeds

2015-12-11 17:45:45 UTC

You can run your own persona verifier, but then it's on you to do the email
verification.

This is the route that someone like Google would take. Nothing about
persona's architecture prohibits this. There is no requirement for a third
party at all if the identity provider and the application are controlled by
the same entity.

Post by Adrian Gropper
Blockchain-based decentralized ID might be possible.
On Fri, Dec 11, 2015 at 12:40 PM, Melvin Carvalho <

Post by Randall Leeds
Every popular social login passes through a third party and it really
doesn't seem to be a barrier.

I can't see Google agreeing that every time you visit them it will go
through Mozila. Or Facebook. Or Twitter. To get any of the big

companies

Post by Andrew Ducker
on board it needs to be properly decentralised, so that they don't

have a

Post by Andrew Ducker
dependency on a third party to validate every login. Otherwise it's

Post by Andrew Ducker
in their interests to do it themselves.

+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that

everyone

Post by Andrew Ducker
thinks it's impossible!

Post by Andrew Ducker
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Randall Leeds

2015-12-11 17:46:37 UTC

I said "verifier" but I meant both identity provider and verifier.

Post by Randall Leeds
You can run your own persona verifier, but then it's on you to do the
email verification.
This is the route that someone like Google would take. Nothing about
persona's architecture prohibits this. There is no requirement for a third
party at all if the identity provider and the application are controlled by
the same entity.

Post by Adrian Gropper
Blockchain-based decentralized ID might be possible.
On Fri, Dec 11, 2015 at 12:40 PM, Melvin Carvalho <

Post by Randall Leeds
Every popular social login passes through a third party and it

really

Post by Randall Leeds
doesn't seem to be a barrier.

I can't see Google agreeing that every time you visit them it will go
through Mozila. Or Facebook. Or Twitter. To get any of the big

companies

Post by Andrew Ducker
on board it needs to be properly decentralised, so that they don't

have a

Post by Andrew Ducker
dependency on a third party to validate every login. Otherwise it's

Post by Andrew Ducker
in their interests to do it themselves.

+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that

everyone

Post by Andrew Ducker
thinks it's impossible!

Post by Andrew Ducker
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Melvin Carvalho

2015-12-11 17:56:42 UTC

Yes it's possible. But I think the Persona experiment has proved, that no
one does this in practice. Ideal is for the browser to take care of this,
but as I say, most think that it cant be done.

Post by Randall Leeds

Post by Adrian Gropper
Blockchain-based decentralized ID might be possible.
On Fri, Dec 11, 2015 at 12:40 PM, Melvin Carvalho <

Post by Randall Leeds
Every popular social login passes through a third party and it

really

Post by Randall Leeds
doesn't seem to be a barrier.

I can't see Google agreeing that every time you visit them it will go
through Mozila. Or Facebook. Or Twitter. To get any of the big

companies

Post by Andrew Ducker
on board it needs to be properly decentralised, so that they don't

have a

Post by Andrew Ducker
dependency on a third party to validate every login. Otherwise it's

Post by Andrew Ducker
in their interests to do it themselves.

+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that

everyone

Post by Andrew Ducker
thinks it's impossible!

Post by Andrew Ducker
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Randall Leeds

2015-12-11 22:49:55 UTC

Yes it's possible. But I think the Persona experiment has proved, that no
one does this in practice. Ideal is for the browser to take care of this,
but as I say, most think that it cant be done.

And yet, OAuth2 and OpenID Connected have received adoption and the flow is
not dissimilar.

I think this is more a case of a crowded space - where crowd means more
than one solution - than that there are not willing identity providers.

I still believe there is a reformulation of Persona wherein the assertion
and certificate concatenation is embedded as a chain in a JWT. Persona is
practically isomorphic to OIDC, as I read them.

Ryan Kelly

2015-12-15 04:42:52 UTC

Post by Randall Leeds
And yet, OAuth2 and OpenID Connected have received adoption and the flow is
not dissimilar.
I think this is more a case of a crowded space - where crowd means more
than one solution - than that there are not willing identity providers.
I still believe there is a reformulation of Persona wherein the assertion
and certificate concatenation is embedded as a chain in a JWT. Persona is
practically isomorphic to OIDC, as I read them.

We just got through an initial round of adding OIDC support to Firefox
Accounts, so I wanted to add a quick comment on two important ways that
it differs from Persona:

1) Authority delegation

Both OIDC and Persona generate "identity assertions" that can be
verified by the relier, but in OIDC the assertion must come directly
from the Identity Provider. Persona's assertions allow the IdP to
delegate assertion-generating authority to the browser (or the fallback
persona.org shim) rather than generating them directly.

2) Client registration

OIDC requires each relying website to register with each identity
provider, in order to establish e.g. the shared secret necessary to
complete a redirect-based OAuth flow. This is more-or-less required in
some form given (1), since the IdP and to deliver the assertion directly
to the relier.

OIDC does have a protocol for "dynamic client registration" but it
doesn't appear to be widely used in practice. Instead reliers must
register out-of-band with each IdP.

Taken together, the result is that your OpenID Connect IdP learns about
every relier to which you log in.

One of Persona's core design constraints was to provide privacy against
this sort of tracking. Unfortunately, in its current form Persona
relies on a centralized verifier service that that *does* learn such
information, and learns it regardless of your choice of IdP.

Perhaps OIDC could be extended to provide similar protections at some
point in the future? It would be an interesting design challenge.

Cheers,

Ryan

Dirkjan Ochtman

2015-12-15 12:19:18 UTC

Post by Ryan Kelly
One of Persona's core design constraints was to provide privacy against
this sort of tracking. Unfortunately, in its current form Persona
relies on a centralized verifier service that that *does* learn such
information, and learns it regardless of your choice of IdP.

Adrian Gropper

2015-12-15 13:15:38 UTC

Here's a NIST white paper on this.

https://nccoe.nist.gov/projects/building_blocks/privacy-enhanced-identity-brokers

Comments are due by Dec. 18.

Adrian

Not sure I get this. IIRC, most Persona implementations rely on the
centralized verifier service, but it's not something that Persona
requires; it's possible to verify assertions locally.
Cheers,
Dirkjan
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

--
Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

Ryan Kelly

2015-12-15 20:39:39 UTC

Not sure I get this. IIRC, most Persona implementations rely on the
centralized verifier service, but it's not something that Persona
requires; it's possible to verify assertions locally.

In theory yes; in practice it's been strongly discouraged while waiting
for data formats etc to be finalized.

Don't get me wrong, I think this is a *great* feature of Persona's
design and a clear advantage over OIDC. But I also think that as
deployed today, most users are not getting the benefit of it in practice.

Cheers,

Ryan

Andrew Ducker

2015-12-17 15:28:06 UTC

Post by Ryan Kelly

Not sure I get this. IIRC, most Persona implementations rely on the
centralized verifier service, but it's not something that Persona
requires; it's possible to verify assertions locally.

In theory yes; in practice it's been strongly discouraged while waiting
for data formats etc to be finalized.

Yes, this. This came up repeatedly on the group before. Waiting for Persona to stabilise the data formats so that local verification was the standard way forward, and also to move to the Goldilocks approach, so that it acted purely as a login provider (and didn't log you out all by itself), are two of the things that were sadly never completed.

Both of them would make Persona more generally adoptable, IMHO.

Incidentally, there was mention that after the all-hands there would be an announcement about Persona. Are we any closer to that?

Thanks,

Andy

Christopher Karlof

2015-12-17 17:47:35 UTC

Post by Ryan Kelly

Post by Ryan Kelly
One of Persona's core design constraints was to provide privacy

against

Post by Ryan Kelly

Post by Ryan Kelly
this sort of tracking. Unfortunately, in its current form Persona
relies on a centralized verifier service that that *does* learn such
information, and learns it regardless of your choice of IdP.

Not sure I get this. IIRC, most Persona implementations rely on the
centralized verifier service, but it's not something that Persona
requires; it's possible to verify assertions locally.

In theory yes; in practice it's been strongly discouraged while waiting
for data formats etc to be finalized.

Yes, this. This came up repeatedly on the group before. Waiting for
Persona to stabilise the data formats so that local verification was the
standard way forward, and also to move to the Goldilocks approach, so that
it acted purely as a login provider (and didn't log you out all by itself),
are two of the things that were sadly never completed.
Both of them would make Persona more generally adoptable, IMHO.
Incidentally, there was mention that after the all-hands there would be an
announcement about Persona. Are we any closer to that?

Yes we are. We’re getting our ducks in a row internally, and the x-mas
holiday isn’t helping. :)

We’re planning a public announcement by Jan 11, 2016.

-chris

Post by Ryan Kelly
Thanks,
Andy
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Jesus Cea

2015-12-20 05:22:05 UTC

Post by Melvin Carvalho
+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that everyone
thinks it's impossible!

OpenID did it quite a long time ago.

Melvin Carvalho

2015-12-21 09:16:32 UTC

Post by Melvin Carvalho
+1 to properly decentralized, a large % of the internet has been waiting
for this for almost a decade. Ideally using PKI. Problem is that

everyone

Post by Melvin Carvalho
thinks it's impossible!

OpenID did it quite a long time ago.

OpenID, OAuth and OpenID connect all go through a web service acting as a
trusted third party. Meaning that they know every time you login, or can
impersonate you. True PKI is a relationship between you and the service
provider.

We have a slightly strange situation where those services which are trusted
third parties are also big browser manufacturers, webmail providers, and
PRISM partners, so they have on incentive to provide such a service.

Mozilla may be a slight exception here, and therefore, offer a little hope.

Post by Melvin Carvalho
--
Jesús Cea Avión _/_/ _/_/_/ _/_/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Randall Leeds

2015-12-21 09:20:38 UTC

OIDC has self-issued providers, but a browser would have to implement it. I
think that it could act a lot like Persona were it used. If the claims
included a certified email address then the situation would be very much
like Persona, indeed.

Post by Melvin Carvalho
+1 to properly decentralized, a large % of the internet has been

waiting

Post by Melvin Carvalho
for this for almost a decade. Ideally using PKI. Problem is that

everyone

Post by Melvin Carvalho
thinks it's impossible!

OpenID did it quite a long time ago.

OpenID, OAuth and OpenID connect all go through a web service acting as a
trusted third party. Meaning that they know every time you login, or can
impersonate you. True PKI is a relationship between you and the service
provider.
We have a slightly strange situation where those services which are trusted
third parties are also big browser manufacturers, webmail providers, and
PRISM partners, so they have on incentive to provide such a service.
Mozilla may be a slight exception here, and therefore, offer a little hope.

_______________________________________________
dev-identity mailing list
https://lists.mozilla.org/listinfo/dev-identity

Melvin Carvalho

2015-11-12 00:38:10 UTC

Thanks for the update.

Looking on the bright side, identity in the cloud is quite a saturated
market.

I hope Mozilla can once again champion "Identity in the browser", which no
one has yet been able to tackle. Perhaps with new tools such as the Web
Crypto API and WebID, it could be a great opportunity to reboot the idea,
in a disruptive way.

I'm always inspired by a previous idea, that I consider the "holy grail" of
identity concepts

http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

I think people would flock to such a concept, if Mozilla was behind it.

Post by Christopher Karlof
-chris

Post by Edwin Wong
Defintely something to note for future UX designs... but Persona, the
service hosted by mozilla, is being decommissioned in late 2016.
*sad trombone*
-edwin

Post by Chris Peterson
When I log into a Persona site, I'm always a little frustrated that

after

Post by Chris Peterson
clicking "next" button on the Persona login windows' email address

page,

Post by Edwin Wong
I

Post by Chris Peterson
must move my mouse one inch to the right to click the password page's

"sign

Post by Chris Peterson
in" button. It would be very convenient if the "sign in" button was
positioned "behind" as the "next" button so users could just

click-click

Post by Chris Peterson
without moving the mouse.
Perhaps this would be too convenient? Google's two-page login doesn't