Browser ID

With Persona, you can log into web sites using the email address of your choice. The first time you use an email, our servers send you a confirmation link. By following that link, you confirm your identity to Persona, which then vouches for your ... [More] ownership of that email address. Of course, in the long term, Persona is meant to be distributed: [email protected] should be verified and certified by the administrators of example.com. If example.com wants to use 2-digit passwords, they can. If they want to use retinal scans powered by your webcam, they can. It’s up to them. With each domain able to customize its authentication protocol with its users, the Web becomes more secure. Did you know that Persona supports this today? If you own a domain, you can claim your users without asking Mozilla. Just follow the Persona Identity Provider protocol as described in our Identity Provider Guide. You can also start with the code for eyedee.me, our example Identity Provider. Just connect this code to your user database and advertise your domain as a Persona Identity Provider. Pragmatic, Gradual Distribution We don’t expect the world to switch over to a distributed authentication protocol overnight. In fact, we expect to be running the Persona Identity Provider, which we call the Fallback, for a long time and for a lot of users. Building new distributed protocols takes time. That said, we’re not waiting around to make Persona capable of distributed authentication. For those users and domains who want it, Persona is already distributed. We think that’s pretty cool. As always, we welcome your questions and comments on our mailing list, or via the #MozillaPersona hash-tag on Twitter. [Less]

“We’re changing our privacy policy…” Does that sentence fill you with dread? Most of the time, unfortunately, it should. Too many web services change privacy policy to increase collection and use of your data. It’s often hard to keep up with these ... [More] changes. In this case, you can rest easy. We’re making the Mozilla Persona privacy policy better for users. We simply noticed that we claimed we were retaining data which, in fact, we do not retain. Specifically, we do not retain the list of sites you visit with Persona. We’re tightening the language of the privacy policy to state that explicitly. At Mozilla, we use your data only to serve you. We also work hard to minimize how much data we collect: we don’t collect data preemptively, “just in case” we need it for future features. Check out the Mozilla Privacy Principles. And since all our code is public, you can review the privacy policy patch we just committed to our public code repository. This policy should go live in the next couple of weeks. As always, we welcome your questions and comments on our mailing list, or via the #MozillaPersona hash-tag on Twitter. [Less]

“We’re changing our privacy policy…” Does that sentence fill you with dread? Most of the time, unfortunately, it should. Too many web services change privacy policy to increase collection and use of your data. It’s often hard to keep up with these ... [More] changes. In this case, you can rest easy. We’re making the Mozilla Persona privacy policy better for users. We simply noticed that we claimed we were retaining data which, in fact, we do not retain. Specifically, we do not retain the list of sites you visit with Persona. We’re tightening the language of the privacy policy to state that explicitly. At Mozilla, we use your data only to serve you. We also work hard to minimize how much data we collect: we don’t collect data preemptively, “just in case” we need it for future features. Check out the Mozilla Privacy Principles. And since all our code is public, you can review the privacy policy patch we just committed to our public code repository. This policy should go live in the next couple of weeks. As always, we welcome your questions and comments on our mailing list, or via the #MozillaPersona hash-tag on Twitter. [Less]

“We’re changing our privacy policy…” Does that sentence fill you with dread? Most of the time, unfortunately, it should. Too many web services change privacy policy to increase collection and use of your data. It’s often hard to keep up with these ... [More] changes. In this case, you can rest easy. We’re making the Mozilla Persona privacy policy better for users. We simply noticed that we claimed we were retaining data which, in fact, we do not retain. Specifically, we do not retain the list of sites you visit with Persona. We’re tightening the language of the privacy policy to state that explicitly. At Mozilla, we use your data only to serve you. We also work hard to minimize how much data we collect: we don’t collect data preemptively, “just in case” we need it for future features. Check out the Mozilla Privacy Principles. And since all our code is public, you can review the privacy policy patch we just committed to our public code repository. This policy should go live in the next couple of weeks. As always, we welcome your questions and comments on our mailing list, or via the #MozillaPersona hash-tag on Twitter. [Less]

We were very happy to see the revamped “Log In with Google Plus” product from our friends across town: big improvements in user experience, great mobile integration, and clearer privacy controls. Still, we think Identity on the Web can be better: ... [More] easier for developers, true choice and control for users. In particular, we think login should be personal and minimal first, social later. We’re not the only ones who think so, as TechCrunch reported: Some people don’t have Facebook or Twitter accounts. Others have deleted them to live a more “real” existence. Then there are those with social accounts, but who don’t want to give their most private data to just any developer. Their biographical info, location, interests, and the ability to post things to their friends are not things they want to give away without some vetting. […] Rockmelt co-founder and CEO Vishria tells me his company learned a big lesson […]: “because of privacy implications, people want to try an app with email and then add social later if they like it.” I call this “try before you pry,” and Vishria explains “there’s a certain level of trust that builds over time.” That’s why a login with Mozilla Persona delivers only the user’s preferred identity to the site. Users, not Sites, should choose their Identity Provider We also noticed that users dislike the NASCAR-style plastering of branded login buttons. If the user recognizes none, she’s forced to use a new identity provider. If the user recognizes one, the others are distracting. If the user recognizes more than one, she’ll likely forget which one she used the first time, click another one the second time, fail to retrieve her data at the web site in question, groan, and start again. We can do better. The user should see only options relevant to her! With Persona, the user chooses any email address she wishes. Only the user’s own email addresses are ever displayed. When returning to a site, the last-used address is even pre-selected. Privacy, even from the Identity Provider When logging in with Google Plus, users choose how much to reveal to their friends. However, users still cannot choose how much to reveal to Google: Google learns every user’s login at every site. It’s as if a hotel receptionist called up the Department of Motor Vehicles to inform them of your checkin because you provided a driver’s license as identification. A bit jarring, in our opinion. We built the Persona protocol to reduce data sharing to the minimum needed for the user to easily log in: the browser mediates the login without leaking data to the identity provider. In the end, Persona is the easy login solution that respects users. Want to add Persona login to your site? Read our quickstart. Or, if you’re more adventurous, you can turn your domain a Persona Identity Provider and directly certify your domain’s users. As always, we welcome your questions and comments on our mailing list, or via the #MozillaPersona hash-tag on Twitter. [Less]

We were very happy to see the revamped “Log In with Google Plus” product from our friends across town: big improvements in user experience, great mobile integration, and clearer privacy controls. Still, we think Identity on the Web can be better: ... [More] easier for developers, true choice and control for users. In particular, we think login should be personal and minimal first, social later. We’re not the only ones who think so, as TechCrunch reported: Some people don’t have Facebook or Twitter accounts. Others have deleted them to live a more “real” existence. Then there are those with social accounts, but who don’t want to give their most private data to just any developer. Their biographical info, location, interests, and the ability to post things to their friends are not things they want to give away without some vetting. […] Rockmelt co-founder and CEO Vishria tells me his company learned a big lesson […]: “because of privacy implications, people want to try an app with email and then add social later if they like it.” I call this “try before you pry,” and Vishria explains “there’s a certain level of trust that builds over time.” That’s why a login with Mozilla Persona delivers only the user’s preferred identity to the site. Users, not Sites, should choose their Identity Provider We also noticed that users dislike the NASCAR-style plastering of branded login buttons. If the user recognizes none, she’s forced to use a new identity provider. If the user recognizes one, the others are distracting. If the user recognizes more than one, she’ll likely forget which one she used the first time, click another one the second time, fail to retrieve her data at the web site in question, groan, and start again. We can do better. The user should see only options relevant to her! With Persona, the user chooses any email address she wishes. Only the user’s own email addresses are ever displayed. When returning to a site, the last-used address is even pre-selected. Privacy, even from the Identity Provider When logging in with Google Plus, users choose how much to reveal to their friends. However, users still cannot choose how much to reveal to Google: Google learns every user’s login at every site. It’s as if a hotel receptionist called up the Department of Motor Vehicles to inform them of your checkin because you provided a driver’s license as identification. A bit jarring, in our opinion. We built the Persona protocol to reduce data sharing to the minimum needed for the user to easily log in: the browser mediates the login without leaking data to the identity provider. In the end, Persona is the easy login solution that respects users. Want to add Persona login to your site? Read our quickstart. Or, if you’re more adventurous, you can turn your domain a Persona Identity Provider and directly certify your domain’s users. As always, we welcome your questions and comments on our mailing list, or via the #MozillaPersona hash-tag on Twitter. [Less]

We were very happy to see the revamped “Log In with Google Plus” product from our friends across town: big improvements in user experience, great mobile integration, and clearer privacy controls. Still, we think Identity on the Web can be better: ... [More] easier for developers, true choice and control for users. In particular, we think login should be personal and minimal first, social later. We’re not the only ones who think so, as TechCrunch reported: Some people don’t have Facebook or Twitter accounts. Others have deleted them to live a more “real” existence. Then there are those with social accounts, but who don’t want to give their most private data to just any developer. Their biographical info, location, interests, and the ability to post things to their friends are not things they want to give away without some vetting. […] Rockmelt co-founder and CEO Vishria tells me his company learned a big lesson […]: “because of privacy implications, people want to try an app with email and then add social later if they like it.” I call this “try before you pry,” and Vishria explains “there’s a certain level of trust that builds over time.” That’s why a login with Mozilla Persona delivers only the user’s preferred identity to the site. Users, not Sites, should choose their Identity Provider We also noticed that users dislike the NASCAR-style plastering of branded login buttons. If the user recognizes none, she’s forced to use a new identity provider. If the user recognizes one, the others are distracting. If the user recognizes more than one, she’ll likely forget which one she used the first time, click another one the second time, fail to retrieve her data at the web site in question, groan, and start again. We can do better. The user should see only options relevant to her! With Persona, the user chooses any email address she wishes. Only the user’s own email addresses are ever displayed. When returning to a site, the last-used address is even pre-selected. Privacy, even from the Identity Provider When logging in with Google Plus, users choose how much to reveal to their friends. However, users still cannot choose how much to reveal to Google: Google learns every user’s login at every site. It’s as if a hotel receptionist called up the Department of Motor Vehicles to inform them of your checkin because you provided a driver’s license as identification. A bit jarring, in our opinion. We built the Persona protocol to reduce data sharing to the minimum needed for the user to easily log in: the browser mediates the login without leaking data to the identity provider. In the end, Persona is the easy login solution that respects users. Want to add Persona login to your site? Read our quickstart. Or, if you’re more adventurous, you can turn your domain a Persona Identity Provider and directly certify your domain’s users. As always, we welcome your questions and comments on our mailing list, or via the #MozillaPersona hash-tag on Twitter. [Less]

Firefox is experimenting with a new third-party cookie policy. Alex Fowler, Mozilla’s Lead on Privacy and Public Policy, puts it this way: On Friday, Mozilla released a Firefox patch into its “Nightly” channel that changes how cookies from third ... [More] party companies function. Users of this build of Firefox must directly interact with a site or company for a cookie to be installed on their machine. Firefox is exploring this change because we believe it’s good for the Web. We did not test other Mozilla web sites first, because we do not play favorites. For example we didn’t know for sure, when the change was applied to Firefox Nightly, whether Persona would continue to function as expected. We believe this Firefox cookie policy change is good for users, and all of our products should live by the rule we’re proposing. Of course, since Persona is built to respect user privacy, we don’t set a cookie unless you directly interact with Persona. So it is without much surprise that our first tests indicate that Persona works just fine with Firefox’s new third-party cookie policy. Persona will always strive to provide the easiest login solution for users and developers, all the while protecting user privacy. It’s good to see that our approach meets the criteria set by Mozilla’s very best privacy minds. [Less]

Firefox is experimenting with a new third-party cookie policy. Alex Fowler, Mozilla’s Lead on Privacy and Public Policy, puts it this way: On Friday, Mozilla released a Firefox patch into its “Nightly” channel that changes how cookies from third ... [More] party companies function. Users of this build of Firefox must directly interact with a site or company for a cookie to be installed on their machine. Firefox is exploring this change because we believe it’s good for the Web. We did not test other Mozilla web sites first, because we do not play favorites. For example we didn’t know for sure, when the change was applied to Firefox Nightly, whether Persona would continue to function as expected. We believe this Firefox cookie policy change is good for users, and all of our products should live by the rule we’re proposing. Of course, since Persona is built to respect user privacy, we don’t set a cookie unless you directly interact with Persona. So it is without much surprise that our first tests indicate that Persona works just fine with Firefox’s new third-party cookie policy. Persona will always strive to provide the easiest login solution for users and developers, all the while protecting user privacy. It’s good to see that our approach meets the criteria set by Mozilla’s very best privacy minds. [Less]

Firefox is experimenting with a new third-party cookie policy. Alex Fowler, Mozilla’s Lead on Privacy and Public Policy, puts it this way: On Friday, Mozilla released a Firefox patch into its “Nightly” channel that changes how cookies from third ... [More] party companies function. Users of this build of Firefox must directly interact with a site or company for a cookie to be installed on their machine. Firefox is exploring this change because we believe it’s good for the Web. We did not test other Mozilla web sites first, because we do not play favorites. For example we didn’t know for sure, when the change was applied to Firefox Nightly, whether Persona would continue to function as expected. We believe this Firefox cookie policy change is good for users, and all of our products should live by the rule we’re proposing. Of course, since Persona is built to respect user privacy, we don’t set a cookie unless you directly interact with Persona. So it is without much surprise that our first tests indicate that Persona works just fine with Firefox’s new third-party cookie policy. Persona will always strive to provide the easiest login solution for users and developers, all the while protecting user privacy. It’s good to see that our approach meets the criteria set by Mozilla’s very best privacy minds. [Less]