Mozilla Persona

Last updated
Mozilla Persona
Developer(s) Mozilla Foundation
Initial releaseJuly 2011
Repository
Written in JavaScript
Operating system Cross-platform
Available in51 languages
Type Authorization
License MPL
Website developer.mozilla.org/en-US/Persona

Mozilla Persona was a decentralized authentication system for the web, based on the open BrowserID protocol [1] prototyped by Mozilla [2] and standardized by IETF. [3] It was launched in July 2011, but after failing to achieve traction, Mozilla announced in January 2016 plans to decommission the service by the end of the year. [4]

Contents

History and motivations

Persona was launched in July 2011 [5] and shared some of its goals with some similar authentication systems like OpenID or Facebook Connect, but it was different in several ways:

  1. It used email addresses as identifiers
  2. It was more focused on privacy
  3. It was intended to be fully integrated in the browser (relying heavily on Javascript).

The privacy goal was motivated by the fact that the identity provider does not know which website the user is identifying on. [6] It was first released in July 2011 and fully deployed by Mozilla on its own websites in January 2012. [7]

In March 2014, Mozilla indicated it was dropping full-time developers from Persona and moving the project to community ownership. Mozilla indicated, however, that it had no plans to decommission Persona and would maintain some level of involvement such as in maintenance and reviewing pull requests. [8]

Persona services are shut down since November 30, 2016. [9]

Principles and implementation

Persona was inspired by the VerifiedEmailProtocol [10] [11] which is now known as the BrowserID protocol. [12] It uses any user email address to identify its owner. This protocol involves the browser, an identity provider, and any compliant website.

The browser, the provider and the website

The browser stores a list of user verified email addresses (certificates issued by the identity providers), and demonstrates the user's ownership of the addresses to the website using cryptographic proof. [13]

The certificates must be renewed every 24 hours by logging into the identity provider (which will usually mean entering the email and a password in a Web form on the identity provider's site). Once done, they will be usable for authenticating to websites with the same browser for the rest of the day, without entering passwords again (single sign-on). [14]

The decentralization aspects of the protocol reside in the theoretical support of any identity provider service, while in practice it seems to rely mainly on Mozilla's servers currently (which may in turn delegate email address verification, see identity bridging below). However, even if the protocol heavily relies on a central identity provider, this central actor only knows when browsers renew certificates, and cannot in principle monitor where the certificates will be used.

Identity bridging

Mozilla announced "identity bridging" support for Persona in July 2013. As they describe on their blog:

"Traditionally ... Mozilla would send you an email and ask you to click on the confirmation link it contained. With Identity Bridging, Persona learned a new trick; instead of sending confirmation emails, Persona can ask you to verify your identity via your email provider’s existing OpenID or OAuth gateway." [15]

This announcement included support for existing users of the Yahoo Mail service. In August 2013, Mozilla announced support for Identity Bridging with all Gmail accounts. They wrote in this additional announcement that "combined with our Identity Bridge for Yahoo, Persona now natively supports more than 700,000,000 active email users. That covers roughly 60–80% of people on most North American websites." [16]

Deployment

Persona relies heavily on the JavaScript client-side program running in the user's browser, making it widely usable.

Support of authentication to Web applications via Persona can be implemented by CMSs such as Drupal, [17] Serendipity, [18] WordPress, [19] Tiki, [20] or SPIP. There is also support for Persona in the Phonegap [21] platform (used for compiling HTML5 apps into mobile apps). Mozilla provides its own Persona server at persona.org. [22] It is also possible to set up your own Persona identity provider, [23] providing federated identity.

Notable sites implementing Persona include Ting, [24] The Times Crossword, and Voost. [25]

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

Integrated Windows Authentication (IWA) is a term associated with Microsoft products that refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality introduced with Microsoft Windows 2000 and included with later Windows NT-based operating systems. The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services, Internet Explorer, and other Active Directory aware applications.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

<span class="mw-page-title-main">Shibboleth (software)</span> Internet identity system

Shibboleth is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization identities between security domains. SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. SAML 2.0 was ratified as an OASIS Standard in March 2005, replacing SAML 1.1. The critical aspects of SAML 2.0 are covered in detail in the official documents SAMLCore, SAMLBind, SAMLProf, and SAMLMeta.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

The Wave Federation Protocol is an open protocol, extension of the Extensible Messaging and Presence Protocol (XMPP) that is used in Apache Wave. It is designed for near real-time communication between the computer supported cooperative work wave servers.

Apple ID is a user account by Apple for their devices and software. Apple IDs contain the user's personal data and settings. When an Apple ID is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple ID.

A Microsoft account or MSA is a single sign-on personal user account for Microsoft customers to log in to consumer Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

<span class="mw-page-title-main">SQRL</span> Draft open standard for identity verification

SQRL or Secure, Quick, Reliable Login is a draft open standard for secure website login and authentication. The software typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute-force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating-system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013, as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

References

  1. "Persona", Mozilla Developer Network (MDN), Mozilla , retrieved 2013-02-10
  2. Persona: Connect with Mozilla Persona, the safest & easiest way to sign in., Mozilla, archived from the original on 2013-03-08, retrieved 2013-02-10
  3. "Javascript Object Signing and Encryption (jose)". IETF concluded WG. 19 July 2016.
  4. Mozilla Stops Developing Its Persona Sign-In System Due To Low Adoption - Techcrunch, 12 Jan 2016
  5. "Introducing BrowserID: A better way to sign in", Mozilla Identity team, Mozilla, 2011-07-14, archived from the original on 2013-01-28, retrieved 2013-02-10
  6. Ben Adida (2011-07-15), "How BrowserID differs from OpenID", Mozilla Identity team, Mozilla, archived from the original on 2013-01-29
  7. Leyden, John (2012-01-20), Mozilla pushes browser-based alternative to passwords, The Register, retrieved 2013-02-10, Give us your keys to look after, we're lovely.
  8. "Transitioning Persona to Community Ownership". 2014-03-07. Archived from the original on 2014-03-07. "Identity at Mozilla". Archived from the original on 2014-03-10. Retrieved 2014-04-06.
  9. Shutting down persona.org in November 2016
  10. "Verified Email Protocol: Overview and Introduction", Mozilla Wiki, Mozilla , retrieved 2013-02-10
  11. How BrowserID Works, 2011-07-01, archived from the original on 2014-07-13, retrieved 2013-02-10
  12. "Glossary - "Persona" vs. "BrowserID"". Mozilla Developer Network. [Mozilla]. 2012-11-26. Retrieved 2013-02-10.
  13. Raghunathan, Ananth. "Proofs in Cryptography" (PDF). crypto.stanford.edu. Retrieved 2023-09-08.
  14. Patel, Abhishek (2020-05-09). "What is Single Sign On (SSO) and How It Works?". Medium. Retrieved 2023-09-21.
  15. callahad (July 26, 2013). "What is an Identity Bridge?". Archived from the original on 2016-01-12.
  16. "Mozilla Makes Signing in Easy for Gmail Users Archived 2013-08-11 at the Wayback Machine ," August 8th, 2013
  17. Mozilla Persona, Drupal, 2012-09-28, retrieved 2014-03-27, Enables users to sign into a Drupal website using Mozilla Persona.
  18. "Serendipity: Backend: Usermanagement plugins". Serendipity Weblog System (a PHP based CMS). Serendipity . Retrieved 2013-02-10.
  19. Mozilla Persona (BrowserID) Support
  20. Mozilla Persona
  21. Log into your PhoneGap apps using Mozilla Persona aka BrowserID, Couchbase, Inc. , retrieved 2017-10-21, Mozilla Persona (aka BrowserID) and PhoneGap / Cordova, together at last.
  22. "Mozilla Persona: A Better Way to Sign In". 2012-12-21. Archived from the original on 2012-12-21.
  23. "Implementing a Persona IdP" . Retrieved 10 March 2013.
  24. Ting implements Mozilla Persona, Ting Inc. , retrieved 2013-03-13
  25. Mozilla Persona: About, Mozilla, archived from the original on 2013-03-08, retrieved 2013-03-13
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.