Open letter to Mozilla: Bring back Persona

What do we want? Mozilla Persona. When do we want it? None of your business!

It was on the news this mroing, Mozilla will stop developing FirefoxOS phones, and the top Hacker News comment really resonated with me. Sure, IoT is the future, and it would be great if we had more nifty stuff there (shameless IoT privacy plug), but these headlines make the bad taste that I’ve had in my mouth ever since Mozilla shuttered Persona stronger, and I can’t stay silent any more.

What Persona was

For those of you who don’t know, Persona was a private, decentralized authentication protocol that Mozilla developed. It’s pretty much those “Log in with Facebook” buttons that you see on some sites, except that, instead of Facebook, you just log in with your email provider. So, if you enter a Gmail address, you’ll be redirected to Gmail and be asked to allow the site to see your address, and you’ll be logged in, without Gmail ever knowing which sites you are logging in to.

Put all your eggs in one basket and stick the basket in Fort Knox.

This means that you’ll ever only have one password for all websites and applications. Many people point to this as a flaw, as someone with access to your email account can log in to any site you have an account on, but they miss the fact that that’s the case today. Anyone with access to your email account can simply reset any password on any site. The right solution is to make your email account very, very secure. As security people like to say, “put all your eggs in one basket and stick the basket in Fort Knox”.

Persona was (and still is) a great idea all around, and I would like to officially (that’s right, it’s official) urge Mozilla to reconsider its stance on shuttering Persona, because reasons. Reasons will be explained after a brief retrospective:

Continue reading…