Firefox accounts and Persona
ckarlof at mozilla.com
Wed Oct 9 16:03:50 PDT 2013
On Oct 9, 2013, at 3:49 PM, Rubén Martín <nukeador at mozilla-hispano.org> wrote:
> El 09/10/13 23:36, Chris Karlof escribió:
>> There are several motivations for this, but one is that we are designing services that store encrypted user data by default. The default option is that the encryption key will be derived from the user's password. If a user doesn't have a password with us, managing the encryption key is trickier. We have something called "pairing" in current Firefox Sync, but it has several UI issues with its current implementation, and it's not clear how to fix them. Another option is for us to store the encryption key, which has privacy concerns.
>> This is a tricky problem with lots of tradeoffs, and we're continuing to work towards a solution that's best for our users.
> I get the tricky point of needing something to encrypt data, at the end a password/passphrase has to be provided to do the process.
> Persona can still be used to verify the email provided and then ask for a passphrase to encrypt data, so work flow could be something like:
> Click on Log in to Firefox Accounts.
> Persona dialog → Verification → OK.
> Enter the passprashe to encrypt your data.
Your suggestion is reasonable and is something we've discussed.
What is the second login experience? In particular, would you require the Persona dialog/Verification step? If so, why? You already set up a password to encrypt your data, so why not use use the password to authenticate as well? Requiring password + Persona every time is a worse experience, IMO, and adds little value for subsequent logins.
You might argue that you could use Persona only (skip the password) to authenticate to FxA for when encryption isn't needed. This is a valid point. But we have a password for the user. So why not just use that? It's more consistent.
Account creation: Verify email via Persona, choose password.
Account login: Enter password.
> Rubén Martín [Nukeador]
> Mozilla Reps Mentor
> Sync-dev mailing list
> Sync-dev at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Sync-dev