On November 30th, 2016, Mozilla shut down the persona.org services. Persona.org and related domains will soon be taken offline.
For more information, see this guide to migrating your site away from Persona:
Persona is a complete implementation of a new, distributed login system from Mozilla.
BrowserID is the open protocol that governs how Persona works.
As an analogy: Persona allows users to log into sites by implementing BrowserID. Similarly, Firefox allows users to browse the web by implementing HTTP.
Persona and OpenID have very similar goals and a similar architecture. Both systems reduce the number of passwords that a user needs, and both are designed to be decentralized. This means that any domain can present itself as an Identity Provider without relying on a central authority.
Despite these similarities, Persona is easier to use and easier to add to websites. Persona also does a better job of protecting user privacy. Specifically:
- Persona is easier for users
- Persona identifies users based on email addresses, which users already know, understand, and naturally associate with online identities. With OpenID, users are forced to learn a new username: an unintuitive URL.
- Logging in with Persona is also easier: it just takes 2 clicks after a one-time setup process.
- Persona is easier for developers
- Persona has a
simple APIthat only takes an afternoon to get started with.
- Persona identities are email addresses, so websites don't have to ask users for additional contact information during signup.
- Because users know and understand their email address, developers don't have to build complex pages with login buttons for all the popular OpenID providers.
- Persona better protects user privacy
- By design, OpenID allows Identity Providers to track their users around the web: whenever a user logs into a website, their browser gets redirected from that site to the user's Identity Provider, and then back to the site that the user requested. These redirects fully expose to the Identity Provider where the user is going.
- In contrast, the BrowserID protocol never leaks tracking information back to the Identity Provider. Rather, it behaves similarly to an ID card: users obtain signed credentials from their Identity Providers which can be presented to websites as a proof of identity. Websites can check the validity of these credentials without ever revealing a user's identity to their identity provider.
No, Persona only guarantees the user's association with an address. As with any email address in any login system, it's possible that the address no longer works or is not regularly checked by the user. For most users, the email address will be functional.
Persona asks the address's domain, which is free to verify its users in any way it chooses. If a domain is not a native Identity Provider, and thus can't verify its own users, the browser asks for verification from Persona's fallback Identity Provider at https://login.persona.org. Before certifying a user's identity, the fallback Identity Provider does test the address by sending an email to it and asking the user to click a link contained within.
The best way to do this is to allow your users to add a secondary email address to their account. See "Adding extra email addresses with Persona".
The code in
include.js is still subject to change. It's not yet recommended that you host it yourself.
To ensure user privacy, it's important that identity assertions are verified locally rather than with the remote verification service. However, the format of assertions is still subject to change, so local verification is not yet recommended. Even with remote verification, Persona protects the user from tracking by their identity provider.
Once the protocol has stabilized, libraries will be available to simplify local verification. Follow the Identity Blog to find out when local verification is recommended.
Despite Persona's benefits, it's never easy to move all of your users to a new login system. Conveniently, Persona's focus on email addresses makes it easy to use alongside existing login systems, so you don't have to switch all at once.
One particularly low-friction approach is to suggest Persona to users who forget their password. Instead of resetting passwords, users can simply log in with Persona.