On Wed, Oct 17, 2012 at 1:32 AM, Tim Niblett <[email protected]> wrote:
> Jon,
>
> We're talking about identity, which is pretty catastrophic if its wrong, so
> I'm operating with an abundanceof caution.
>
> I love the idea of Persona, but don't know much about it, so please fill me
> in if you have answers to my questions/concerns.
I'm the other half of Voost - answers inline:
> Persona has only just gone into beta, and is under active development. I
> know Google has stretched our ideas of using Beta software in production,
> but still...
There are really two "halves" of Persona - the user-facing login
system, and the primary IdP system. The primary IdP system just went
live, but the user-facing login system has been live with Mozilla's
secondary (email verification) IdP for over a year. We've been using
it most of that time. It's solid.
> Persona is distributed, but there aren't any (major) IdPs signed up yet.
> What happens if no-one signs up? Do I have to worry about the service just
> stopping in a couple of years?
Even if no primary IdPs sign up, the secondary (email verification)
backup IdP is a better experience than almost every username/password
system in existence. So even the worst case scenario is still pretty
good. However, Mozilla is working on a proxy IdP called "BigTent"
which will leverage the OpenID mechanisms of Gmail, Yahoo, and
Hotmail. So those users will still get a seamless experience, even if
the three never officially become primary IdPs for Persona. That
covers something like 90% of all users.
What happens if Persona goes away? Persona logins are keyed by email
address. Removing Persona from your system is fairly trivial - add a
conventional email/pw/forgot login form, assign random passwords to
all your users, and give them a note letting them know of the change.
> I use 2-factor authentication on my Google account. How will this work?
If Google adds primary IdP support, they control the login process.
Even if they don't, BigTent will run the user through the standard
openid Google auth process. Currently (with the backup IdP) it
requires an email roundtrip. So 2-factor auth is accounted for.
> In my tests Persona can be pretty slow. What are Mozilla doing about
> provisioning, load spikes, etc?
I suspect the slow part ("We're sorry, this is taking a loooong time")
is the public key cryptography being run in javascript on the client.
They're balancing the need for sufficiently strong encryption with the
need for something that runs fast enough in javascript on crappy
hardware. After the first login to a new site I don't find this to be
an issue. Also: The protocol is designed to be implemented natively
in the browser, so the javascript shim is just a bootstrapping tool.
When browser support becomes ubiquitous (Firefox support is coming
soon) speed will not be an issue.
FWIW, there is much talk of performance on the identity-dev mailing
list. If you have questions, it's a good place to ask. I know they
have significant server capacity and have put a lot of thought into
reliability and operational processes.
> I've had some issues with the popup being suppressed sometimes on iOS.
> Don't know why, but its a no-no if users can't log in. Also, its easy to
> spoof the popup, as it has a weird address in the address bar anyway.
If you see issues on iOS, please report them as bugs. I have not
heard reports from iOS users about not being able to log in, and we
have many such users.
I also don't know what you mean about the weird address. The popup
address in the URL bar is https://login.persona.org/sign_in.
> During my (very limited) testing I used 2 Google Accounts. Could easily be
> 2 users of the one machine. When a session expired I'd log in to account A
> with a password, and after logging off and in again account B was available
> _without_ a password which I didn't like. Not that this is any worse than
> other providers, we've had nasty incidents with Google login cookies.
Persona is fairly particular about "Is this a shared machine?"
Inherent in the distributed nature is the fact that the primary IdP is
not consulted every time a user logs in; this would leak information
to the primary IdP. Right now when you use Facebook auth on a site,
Facebook knows that you logged into that site. This is a major
privacy issue that Persona addresses.
> If you use Facebook as identity provider (or Google to a lesser extent) you
> get told about failed login attempts and other stats to help protect your
> account. Does/will Persona off such facilities? Will the IdPs be able to?
I believe you are confusing the IdP with the account owner. Facebook
notifies the _account owner_ about failed logins, but not the relying
party. There's no reason why primary IdPs could not continue to
notify account owners of hack attempts - although you won't know what
specific site is being attacked, because primary IdPs don't get that
information (an information leak). But it's pretty irrelevant - if
your email password is being attacked, the solution is to make sure
your email password is strong.
Jeff
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.
