Firefox accounts and Persona

Chris Karlof ckarlof at mozilla.com
Wed Oct 9 14:36:08 PDT 2013


On Oct 9, 2013, at 4:34 AM, Rubén Martín <nukeador at mozilla-hispano.org> wrote:

> From a user point of view, I don't want to create more accounts, the point of Persona was to avoid this and have to remember just one password, so I expected to log in to my Firefox Account using my Persona account.

If you view a "Persona account" as something that requires email verification and a new password with Mozilla, it indeed might be confusing and frustrating that a Firefox Account would require email verification and a new password as well. 

The problem is that Persona is not *supposed* to require a new password.  If your email address is backed by a Persona IdP, you use the password you already have with that IdP when authenticating with Persona. Unfortunately, there aren't any Persona IdPs of significant size. We have two things to address that: 1) Persona bridges and 2) The Persona fallback. 

The Persona bridges make Gmail and Yahoo look like they support Persona, by bridging Persona to their OpenID endpoints.  

The Persona fallback is invoked when your (non-Gmail and non-Yahoo) email address is not backed by an IdP, which is just about every email address. The Persona fallback requires you to verify your email via a link and create a password, which suggests you are creating a "Persona account".  This is a valid point of view. But confusing, IMO, and hopefully not the long term future of Persona. 

So why do we want you to create a new password for a Firefox Account? 

There are several motivations for this, but one is that we are designing services that store encrypted user data by default. The default option is that the encryption key will be derived from the user's password. If a user doesn't have a password with us, managing the encryption key is trickier. We have something called "pairing" in current Firefox Sync, but it has several UI issues with its current implementation, and it's not clear how to fix them. Another option is for us to store the encryption key, which has privacy concerns. 

This is a tricky problem with lots of tradeoffs, and we're continuing to work towards a solution that's best for our users. 

-chris



> Regards.
> -- 
> Rubén Martín (Nukeador)
> Mozilla Reps Mentor
> http://mozilla-hispano.org
> http://twitter.com/mozilla_hispano
> http://facebook.com/mozillahispano
> _______________________________________________
> Sync-dev mailing list
> Sync-dev at mozilla.org
> https://mail.mozilla.org/listinfo/sync-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/sync-dev/attachments/20131009/941144fc/attachment.html>


More information about the Sync-dev mailing list