Any comment on Mozilla Persona?

Options
wkleem
wkleem
Community Member
in Lounge

I recently visited the site and it is said to be a password replacement site like OpenID? I only need one password for all the acceptable sites that I visit. Not that I would trust it.

https://login.persona.org/about

Comments

  • khad
    khad
    1Password Alumni
    Options

    On the plus side, if you are using single sign-on (SSO) on a site where there was a password breach you would not need to change your password on that specific site. The way that SSO systems work, the site would not be storing your Persona password in any form whatsoever.

    However, SSO systems can work in a variety of ways. The way that Persona's works is reasonably secure (as long as Persona doesn't get breached), but it is also a privacy decision. By using Persona's SSO, you are telling Persona every time you log on to every other site you use with Persona's SSO. Some people may not be comfortable with that.

    In contrast, with 1Password, we are not in a position to even gather such information. We can't know what you log into when. We really know nothing about your use of 1Password, and this is deeply part of the design.

    This again highlights the contrast between 1Password and SSOs. If Persona turned evil, they could do a lot of damage. They could log you into any site or service with that "Log in with Persona" system whether you want to be or not. They could lock you out of things. With 1Password, even if we were to turn evil, there is actually very little damage we could do because you control your data, and once you have purchased 1Password, AgileBits is not "involved" in any of your use of your data that you store within your copy of 1Password.

    Now you don't have to actually be concerned about anyone "turning evil" for that distinction to matter. If someone has the capacity to do damage, they can do it by accident. If someone does not have the capacity to do damage, then they couldn't do it even by accident.

    This is part of the "principle of least authority". Systems should be designed so that they have no more authority than needed to perform their function. With (most) SSOs you are ceding enormous authority regarding your logins to a single third party. With 1Password you are not.

    I hope that helps a bit. It is great that you are thinking about these things. :)

This discussion has been closed.