Identity/Persona AAR

From MozillaWiki
Jump to: navigation, search

Here's a summary of what we got right and what we could have done better with Persona, distilled from a lot of different conversations with people inside and outside of the core team.

What did Persona get right?

  • We built a simple solution that developers love.
  • Users and developers trust Mozilla and want us to fix identity on the web.
  • The demand for "solving the password problem" is increasing with every high-profile password leak and advances in password-cracking tech.
  • As the 2013 Snowden relevations have shown, decentralized and privacy-respecting technologies are badly needed.

Why did Persona fail to gain wide adoption?

  • We were in a three-way cold-start between users, providers, and websites. More info on Hacker News.
  • We started building a whole identity stack but it's really hard to do things in a decentralized way.
  • We experimented outside of Firefox and could not leverage the Fx user base or Mozilla's marketing / evangelism resources.
  • We offered an easy and secure solution but large sites that have enough resources to allocate to their login experience don't care.
  • We made Persona a user-visible brand but that competed with a site's own brand.
  • We looked at Facebook Connect as our main competitor, but we can't offer the same incentives (access to user data).
  • We built complex features (session management) that our users did not want, and which made Persona difficult to use or understand.

What did we learn?

  • Persona should be pared down to its core: a decentralized email verification and login API for the web. No more session management, no attribute exchange.
  • Persona should be built natively into Firefox, Fennec and Firefox OS to make the JavaScript shim unnecessary on these platforms. The base functionality should be cross-browser, but the experience should be optimized for the native platforms.
  • Sites should control most of the user flow and Persona should be almost invisible to users.
  • Sites should be able to offer these benefits to their users with a native UA implementation: better UX, reduced login friction and phishing protection.