Mozilla Foundation puts password killer into first beta

Mozilla Foundation puts password killer into first beta

Summary: Persona is an open authentication system that uses email providers to validate that a user is who they say they are.


With an eye toward killing passwords, the Mozilla Foundation has released the first public beta of its year-old open authentication system.

Persona, formerly known as BrowserID, lets users sign-on once and visit any Persona-compliant  website. The software is an alternative to OpenID, an open authentication protocol that is being replaced by a new version called OpenID Connect.

Persona, which works with all major browsers found on smartphones, tablets and desktops, is highlighted by the new name, but, more important, the introduction of the new Observer API that adds more features, including global log-out from any device.

In addition, Observer allows websites to display their name and logo in the log-in box and to streamline log-in for first-time users.

Observer replaces the old JavaScript API, which won’t be deprecated. Going forward, however, Observer will be the recommended API.

What’s still missing, however, is support from email providers, such as enterprises, ISPs, universities or other institutions.

Those entities are the identity providers (IdPs) in the Persona model  since they have already validated their users and given them what amounts to a unique user name - their email address.

Persona works by passing cryptographic keys among the website, the browser and a validation service (IdP) to confirm identity.

Today, the only validation service is run by the Foundation at To build an authentic decentralized identity system, the Foundation needs a collection of independent IdPs to start signing up and validating user identities.

Persona is gaining support in other areas, including from LoginRadius, Mahara, Koha and the Eclipse Foundation. OmniAuth offers a Persona module.

Persona is the first of many planned betas that will continue to add features, according to the Foundation.

See also:

Topics: Browser, Networking, Open Source, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Spell check?

    "complaint Persona website" must mean "compliant Persona website"
    • Thanks for the edit

      Got it fixed.
  • Mozilla Foundation puts password killer into first beta

    Will be interesting to see the direction of this project.
  • Thanks for mentioning & little bit more about LoginRadius

    Thanks for mentioning LoginRadius, John!

    We are partner with Persona and have integrate it on our SaaS (Software as a Service) that enables social infrastructure on web applications. Since our partnership, our customers have shown great interest in Persona and over 2000 websites have integrated it as a login option for their users.

    Just so your readers know, LoginRadius has simplified Persona integration by adding it to 11 of its social plugins for WordPress, Joomla, Drupal, osCommerce, PrestaShop, Magento, X-cart, Vanilla Forum, DotNetNuke etc. This helps website owners to add Persona along with social logins like Facebook, Google, Twitter etc without any programming skills! Lear more about Persona - LoginRadius integration here -
  • This is old wine in new bottle.

    It does not offer any security. In fact if someone hacks your email account and resets the BrowserID password, everything is compromised.

    I have been working myself on a password less solution for the last 5 years. However, as I do not have the tech muscle power of either mozilla or google, it has been next to impossible to market it.

    Those who are seriously interested in a single sign on without compromising security, you can visit 0pass dot com and enterprises who wish to deploy this technology for their online apps can visit devauth dot com.
  • firefox

    good by you are opening and letting hackers get our info if you put password killer beta in the firefox mail so kiss me useing you stuff any more i am dealing with id thief and to me you are helping them more now
    • Missed the point

      I think you are missing the point. Sites (like this one) already use email to regrister users.

      If an attacker has your email, they can reset already reset the password for this site, or your facebook, or whatever...

      Right now you either have a different login for each site or allow a service providor (like google or facebook) track your different accounts all across the web. This allows you to have the one login to all websites but with your browser itself mediating the excahnge between your email providor and the site. Thus privacy!

      Security comes from the fact that your true credentials are not transmitted to each site, so if the site gets hacked, you dont lose all your info (like the same password resued for every random site as so many do).

      But if you lose your email password then you are still compromised just like now. Still there are advantages. If you only need one password, you are more likely to change it often. Also, since your email would not have a record of ever website regristration, an attacker in your email account couldn't easily determine which sites you have an account on.
  • Uh huh...

    Not even your own website supports it for feedback/opinions. If you don't use them, why should anyone else? All anyone needs is a good private password manager. People are being lazy and using the same password for every website and every service which is why when an account gets hacked it leads to other accounts and additional misfortune. At the end of the day, all these "open" standards are rehashed ideas and not very secure.
  • Sadly, I don't think it'll catch on.

    Good idea - I'd love to have it.

    But who will adopt it?

    Until EVERY major web browser (INCLUDING IE) and major websites adopt it - honestly, it's DOA.

    Also, if it's dependent on email providers - it's also DOA. You have to deal with big email providers like Google and Microsoft, you have to deal with lots of ISPs, and lastly you have to deal with the occasional guy running an email server in his garage. Good luck with that.
  • Since when have email providers validated their users?

    Enterprises and universities yes. ISP's yes. Email providers, big fat no. Anyone can get a gmail address without google knowing anything about them or any of their other emails.
    Johnny Vegas
  • hell no

    if you do i will sue you because i use foirefox and am dealing with id theif and will not use your new firefox i will find some thing else to use amd not ie
  • While people will hate this.....

    I think the only real way to verify that a user is actually that user is for some type of government controlled ID system.
    Most people access their government related accounts [i.e. taxes, more taxes, ...]. So somewhere in there you are already authenticated.
    Once there you can request an account like OpenID or Persona or others. At least if you go tgo a site, people will know you have a real account somewhere instead of creating one of these free accounts that have no way of verifying who you truly are.
    Right now I could create an account under Obama, Mitney, Gretzky, [Michael] Jordan, etc. I think most will figure I'm not the real one. But what about someone less known.
    As mentioned, I'm on OpenID. I also use Facebook [limitedly] which allows me to access various other sites.
    On one site I've seen so much spam from Yahoo and Gmail users because Yahoo and Google doesn't really verify who you are. Facebook doesn't do much either but it would be longer to create an account just to spam.