Security Watch

Keeping Track of patches and hacks in the IT security world.

Mozilla Gives Up on Persona Single Sign-On, for Now

Mozilla fails to execute on its own vision for enabling more secure user authentication to online services.

Download the authoritative guide:

Firefox OS

Mozilla quietly announced in a blog post March 7 that it is no longer putting full-time developers to work on the Persona Web-authentication system. In my opinion, that's a real shame and a tragic failure for Mozilla and its efforts to help build a more open and secure Internet.

I first wrote about Persona when it was known as BrowserID (which I still think is a better name). Mozilla started talking about BrowserID in 2011 as a technology that could enable users to securely log into Web services with just a verified email address. That verified email address would be securely authenticated and stored within the browser.

In 2012, Mozilla renamed BrowserID as Persona, displacing Mozilla's theme technology, which had previously been known as Personas.

Persona has always seemed like a good idea to me, but apparently Mozilla is no longer willing to invest in it beyond a bare-bones maintenance level.

"For a variety of reasons, Persona has received less adoption than we were hoping for by this point," Mozilla stated in its blog post. "However, we do still believe that Persona offers a unique and useful alternative to passwords, and we intend to support it as such."

As an open-source effort, Persona can be picked up by anyone, but without Mozilla pushing it forward, I doubt its adoption will enjoy much success.

Things have changed in Mozilla's world since 2011 when the company first proposed the idea. Among the big changes is the FirefoxOS effort as well as the Firefox cloud services account model, which is where Mozilla is now retasking the staff members that were previously working on Persona. The ability to synchronize data between desktop and mobile versions of Firefox is something that the Firefox Sync technology provides. Firefox Sync now has its own account system called Firefox Accounts within Mozilla's cloud services efforts.

Mozilla notes in its blog post that "it's possible that Firefox Accounts will use Persona for email verification in the future."

So what does that mean for the future of Web security? To me it means that, for better or for worse, the browser itself is not the control point for authenticated access, even though it really should be.

While open-source projects never really die, it is truly unfortunate that Mozilla with all the millions of dollars it makes, did not have the wherewithal to see BrowserID/Persona through to its logical conclusion.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.