Mozilla Discontinues Persona Password Security Service

Two years after giving it up to be a community project, Mozilla is now shutting its Persona Web authentication operations down entirely, due to low adoption

Mozilla is finally and officially closing its Persona Web authentication system after coming to the conclusion that the technology was not being adopted.

Using and storing passwords securely has always been a challenge on the Internet. The promise of Persona was to make Web authentication easier than users needing to remember a separate login for every Website. With Persona, a verified user email that is securely stored by the browser is all that is needed to get access to a site.

The challenge is that both Websites and users needed to support and use the mechanism, which never really happened. Mozilla first started building the Persona technology under the name BrowserID in 2011. At the time, BrowserID was seen by Mozilla as a potential rival to the OAuth standard, which is now widely used by Websites to enable single-sign-on access.

Adoption

SQL-username-passwordIn 2012, Mozilla changed the name of BrowserID to Persona to help brand the technology and encourage adoption. In 2014, Mozilla decided that it would no longer put full-time developers on the project after realizing that adoption wasn’t very high. While Mozilla stopped funding full-time developer work, it still committed to paying for the underlying operational and security infrastructure that enables Persona.

Although Mozilla wasn’t directly developing the Persona technology, since the technology is all open-source, the hope was that a community would develop around Persona to push it forward, but that never happened.

“Due to low, declining usage, we are reallocating the project’s dedicated, ongoing resources and will shut down the Persona.org services that we run,” Mozilla announced on a wiki page about the Persona shutdown.

Mozilla isn’t immediately pulling the plug; it’s giving those that do rely on its Persona infrastructure until Nov. 30, 2016, before all services are finally shut down. The actual open-source code for Persona will remain open source and available on Github.

While Mozilla is walking away from Persona, it has been working on and is now using another technology called Firefox Accounts that integrates with the Firefox Web browser that enables users to synchronize activities across mobile and desktop versions of Firefox.

“Persona is designed to be a dead-simple email verification tool, while Firefox Accounts is a full-fledged, persistent account system,” the Mozilla identity Website explained. “By developing them separately, we’re able to keep each project lean and focused on its own use cases.”

Scott Petry, CEO and co-founder of security vendor Authentic8, isn’t surprised that Mozilla is shutting down Persona.

“There are a variety of federated authentication solutions available, and many are not reaching critical mass,” Petry told eWEEK. “Persona wasn’t able to cross an adoption tipping point to make it stick.”

The Security Assertion Markup Language (SAML) standard is one such authentication technology that is gaining acceptance for federated identity. However, Petry noted that adoption is partially driven by SAML’s integration with enterprise identity solutions.

“Persona wasn’t trying to establish itself as a robust federated authentication system as much as it was trying to provide a more anonymous method for individuals to be able to log in to Websites with some degree of privacy,” Petry said. “That’s a more nuanced message to the market and a much harder target market to get to adopt en masse.”

Originally published on eWeek.