The prevailing system of usernames and passwords is untenable: users are expected to create and remember a new, complex password for every site and service that they use, and every site has to store the passwords securely. However, recent breaches demonstrate that even prominent companies have lapses in password security which put their users' information at risk.
Persona is an open, distributed, web-scale identity system that replaces per-site passwords. It addresses the usability and privacy-related shortcomings of systems like OpenID without resorting to centralized infrastructure like Facebook Connect.
Persona Gets Rid of Per-Site Passwords
Instead of per-site passwords, Persona lets users log into sites with just two clicks after completing a simple, one-time process for each of their identities. This is safe, secure, and built on top of public key cryptography. Instead of a password, the user's browser generates a cryptographic "identity assertion" that expires after a few minutes and is only valid on a single site. Because there are no site-specific passwords, websites using Persona don't have to worry about securely storing or potentially losing a password database.
This quick sign in process also reduces user friction when visiting new sites.
Persona Identities are Email Addresses
Rather than freeform usernames, Persona uses email addresses as identities. This has several benefits for both users and developers:
User Benefits of Using Email Addresses
- Users already know their email addresses, in contrast to learning a new and potentially confusing URL with OpenID.
- Email addresses neatly capture the idea of
someone@some-context, making it easy for users to keep their identities
@schoolseparate. This differs from the trend of identity consolidation through real-name, single-account policies on social networks like Facebook and Google+.
- Email can be self-hosted or delegated to other providers, giving users control of their identity.
Developer Benefits of Using Email Addresses
- Email addresses give developers a direct means of contacting their users.
- Most sites want an email address for their users, Persona provides this automatically when a user logs in, eliminating the need for additional post-signup forms.
- Many login systems already treat email addresses as unique keys. This means there's no lock-in with Persona, and it can be deployed alongside existing login systems.
Not to mention that email is already a fully distributed system with billions of accounts across countless providers.
How is Persona different from other Single Sign-On providers?
Persona is safe, secure, and easy. It protects user privacy, user control, and user choice in ways that other providers don't or can't.
Many social networks like Facebook and Google+ require users to use their real names, and limit users to a single account. By being built atop email addresses, Persona allows users to keep their work, home, school, and other identities separate.
Persona is open and distributed: anyone with an email address can sign in to sites using Persona. What's more, anyone can host their own Identity Provider or delegate to other authorities, just like with email. This is in contrast to social login services which require an account with a single, centralized service.
Persona also takes a novel approach to protecting user privacy by putting the user's browser in the middle of the authentication process: the browser obtains credentials from the user's email provider, and then turns around and presents those credentials to a website. The email provider can't track the user, but websites can still be confident in the user's identity by cryptographically verifying the credentials. Most other systems, even distributed ones like OpenID, require that the sites "phone home" before allowing a user to log in.