Mozilla's Persona Web Authentication System Moves into Beta

ID THREATPOST:09312C4B39B9333090C19CC1C569F5C4
Type threatpost
Reporter Michael Mimoso
Modified 2013-04-17T16:31:27


Mozilla PersonaMozilla is trying to deal a two-fisted blow to the continued use of passwords as an online authenticator, as well as the practice using social media username-password combinations as a persistent login on other sites. Its Persona project has moved into its first beta release promising developers and website users a better and more private authentication experience.

Persona, when integrated into a website, eliminates the need for users to re-enter passwords; a one-time email address is the only authenticator required after an identity is registered.

According to the Mozilla developer site, instead of requiring a password, the user’s browser will generate cryptographic identity assertion that lasts only a few minutes and works only for one site. This eliminates the need for sites to have to store passwords or losing them to an attacker.

“The browser obtains credentials from the user’s email provider, and then turns around and presents those credentials to a website. The email provider can’t track the user, but websites can still be confident in the user’s identity by cryptographically verifying the credentials,” the developer site said. “Most other systems, even distributed ones like OpenID, require that the sites ‘phone home’ before allowing a user to log in.”

Since it was introduced in July 2011 as BrowserID, Mozilla overhauled the API developers would use to integrate it onto sites, as well as enhanced first time sign-ups to simplify the process for users.

“Our goal is simple: We want to eliminate passwords on the Web,” Mozilla’s Ben Adida wrote in a blog post. Adida leads Mozilla’s identity efforts.

Adida said Persona Beta 1 supports all desktop and mobile browsers and can be deployed quickly, sometimes in as little as 15 minutes.

“When you deploy Persona on your website, you’re showing respect for your users and their data,” he wrote. “You’re only asking for the data needed to log them in and users know they’re only sharing exactly what’s shown on the screen.”

Persona, Mozilla said, affords users the option of not using Facebook, Twitter and other social media log-ins as authenticators and being subject to the website tracking and other privacy implications of doing so. “[Persona] is also designed with the Mozilla values in mind,” Adida said.