Here's a summary of what we got right and what we could have done better with Persona, distilled from a lot of different conversations with people inside and outside of the core team.
What did Persona get right?
- We built a simple solution that developers love.
- Users and developers trust Mozilla and want us to fix identity on the web.
- The demand for "solving the password problem" is increasing with every high-profile password leak and advances in password-cracking tech.
- As the 2013 Snowden relevations have shown, decentralized and privacy-respecting technologies are badly needed.
Why did Persona fail to gain wide adoption?
- We were in a three-way cold-start between users, providers, and websites. More info on Hacker News.
- We started building a whole identity stack but it's really hard to do things in a decentralized way.
- We experimented outside of Firefox and could not leverage the Fx user base or Mozilla's marketing / evangelism resources.
- We offered an easy and secure solution but large sites that have enough resources to allocate to their login experience don't care.
- We made Persona a user-visible brand but that competed with a site's own brand.
- We looked at Facebook Connect as our main competitor, but we can't offer the same incentives (access to user data).
- We built complex features (session management) that our users did not want, and which made Persona difficult to use or understand.
What did we learn?
- Persona should be pared down to its core: a decentralized email verification and login API for the web. No more session management, no attribute exchange.
- Sites should control most of the user flow and Persona should be almost invisible to users.
- Sites should be able to offer these benefits to their users with a native UA implementation: better UX, reduced login friction and phishing protection.