Mozilla goal is half of Internet on Persona ID by year end

Mozilla goal is half of Internet on Persona ID by year end

Summary: Mozilla planing on its federated and distributed authentication idea to catch fire now that it has bridged a major gap.

TOPICS: Security, Browser

Later this year, Mozilla plans to have its browser-based identity infrastructure available to half of the worldwide Internet user population.

Mozilla released Beta 2 of Persona, formerly known as BrowserID, this week, including a new feature called Identity Bridge that integrates Persona with emerging identity protocols OAuth and OpenID. Mozilla did not announce support for the newer OpenID Connect.

As part of Beta 2, Mozilla announced it would support Persona-based authentication using email addresses. Introduced in July 2011, Persona is a browser-based decentralized authentication system that supports the use of email addresses as an authentication credential. It's designed to replace username and password log-ins along with identity architectures that require third-party ID providers to issue credentials.

The Yahoo integration point is Identity Bridge, an open source server developed by Mozilla that speaks the Persona IdP protocol on one side and OpenID or OAuth on the other.

The server, developed under the code name Big Tent, links Persona and users, allowing them to log on with their Yahoo email address without having to surrender any access to their account. That is different from social networking logins, such as those through Facebook and Twitter, that can expose portions of the users data to the service even though all the end-user wants is authentication.

Mozilla says other major email providers will be on board in the coming months, exposing Mozilla Persona to half of all worldwide Internet users.

"This means a user who’s never used a site before, and never used Persona before, can log in in seconds," said Lloyd Hilaiel, the technical lead for Mozilla Persona, in a Q&A on the Mozilla Web site.

The Persona infrastructure has suffered thus far from lack of support by email providers, who act as identity providers (IdP) — those who validate email addresses as part of the authentication process.

Mozilla has already solved Persona's other major issue, multi-language, and now supports 30 languages.

But Mozilla has changed its tack with the Identity Bridge, allowing email providers to leverage their support for OpenID and OAuth, two identity protocols in use today by providers such as Yahoo and Google. The previous model required email providers to adopt the Persona IdP protocol.

Eventually, Mozilla plans to extract itself from Persona's authentication flow, which happens under the covers,  including cryptographic keys that are passed among the website, the browser and a verification service to validate identity.

"Once we are successful, Mozilla itself will not actually be running a centralized service," said Hilaiel. "Browser vendors will build the client pieces, websites and email providers the server bits, and Mozilla will be almost completely out of the sign-in transaction." Completely, Hilaiel noted, because all flavors of Firefox browsers will have a native implementation of Persona which is the client component of sign-in.

Mozilla also plans to integrate Persona into Firefox OS, the new Mozilla mobile OS set for release this summer. It also will be added to desktop Firefox.

"In the coming months, we’re planning for improved browser support, interaction refinements, and performance improvements that I think are really going to tip the scales," said Hilaiel.

Topics: Security, Browser


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I love Mozilla

    Thank you thank you thank you for repeadedly solving the Internet's problems. No more "by signing in you agree to provide access to Contacts, Timeline, Calendar..."
    x I'm tc
  • The goal is too ambitious

    Mozilla will not even achieve 1%, let alone 50%. This sensational figure is clearly a PR stunt designed to keep Mozilla in the headlines, and certain people predictably fall for it.

    Mozilla is essentially a wholly-owned subsidiary of Google, Inc.
    Tim Acheson
    • Once again, you post from ignorance

      Did you even bother to research the claims, or the tech behind them?!? A significant portion of the world uses a limited number of e-mail providers. Between GMail (~450M) MS (~400M) and Yahoo (over 300M) over a billion people use or have access to the necessary credentials. As such, even with Yahoo alone, they are well over your misinformed 1% mark. If Google (who you ridiculously claim owns Yahoo came on board, citation?) that gets them to almost 10% of the internet, right there!
    • Please Read and Process the Material

      The 50% claim is not one of Persona usage, but about bridging. The new Identity Bridging allows a user to be verified without having to check their email to click on a link. Your email provider will simply ask if you want to allow the site to know your email. Assuming you're already logged into your email account, no login/password is necessary.
      Essentially the number of email providers who support this feature covers half the internet population. (I imagine a healthy majority of email accounts from those in the US and western world would be covered by this.)
      Persona was very easy to use before, now it should be brain-dead simple for many.
  • misleading headline

    The headline says "on" while the first sentence says "available to". Big difference in meaning there. I can throw up a web page in a few seconds and technically it's available to the entire Internet.
  • Totally Useless

    This will not stop someone from creating an account on [let's say] Yahoo with a fake name, address, etc.
    Unfortunately there is no real way to prove a person is a person unless there is some government involvement. I created a digiotal certificate for signing Acrobat documents and Outlook messages. Never asked any proof that I am who I am. I could of used the name Jesus Christ or Moses [last name?] and the site would of taken it.
    As for Mozilla having it available is different from actual usage.
    • No it's not.

      I don't think you understand the purpose. It isn't to personally identify you for legal reasons.

      It's so that you don't have to create and manage passwords and logins for every site out there that requires something like that to identify you as a user.

      Users re-using their emails and passwords in multiple sites is a common thing, and one of the most dangerous practices a user can do. If widespread, this reduces that vulnerability and attack/hack vector significantly.
  • Kudos and BRAVO to Mozilla!!!

    This is the kind of innovation the world needs.
  • Just a persona no real identity

    At least they did call it an appropriate name, Persona does really make it clear that it is not
    managing a real identity. No really easy solution to that one, and generally the internet wants their identity to be anon.

    So this entire product is essentially just to decentralize auth? I do not see how this is different from the existing solutions. It still ties back to a big company from whom one registered their email account with.