A Personal Persona Post-Mortem
In reaction to a Bring Back Persona blog post, I wrote this response.
I joined Mozilla’s Persona team as a designer in May of 2013 until it was destaffed less than a year later. I spent my time ramping up, introducing UX improvements, and watching users struggle with Persona, but since then haved moved on to Firefox Accounts, Passwords and Sync.
While I feel that Persona has a great heart, it possesses several flaws, some of which I would argue are fatal.
#1. Email addresses are not permanent identifiers. Let me tell you about, Mozillians.org, which is a website that supports Persona. Very often Mozilla employees create accounts using their mozilla.org email address which authenticates against the Mozilla (LDAP) Identity Provider. When those employees leave Mozilla (including, ironically, some of the founders of Persona) they no longer control that identity, and can no longer access their account. Their Mozillians.org profile is trapped in time. With a conventional login, as long as you remember your password, you can get in. Losing access to an email address should not mean a loss of accounts everywhere.
#2. Persona is great for internal apps when access control isn’t critical Mozilla uses Persona for some internal applications, and it works beautifully. We run a proper IdP so when you enter a Mozilla email, you get the Mozilla LDAP screen, and you’re in. The problem for most organizations is access control. When someone leaves the org and has their email cut off, their Persona sessions don’t instantly expire. Allowing ex-employees to access internal applications, even temporarily, is a deal-breaker for many.
#3. Marketing Persona as another social sign-in option (aka the NASCAR) was death by a thousand cuts. Persona is an unknown and untrusted name. Mozilla is not as well known as Firefox. Firefox is assumed to be browser specific. Persona requires its own password, unless it doesn’t. Email providers showed no interest. UX around multiple emails was unclear. Persona is perceived as a login process interloper. Site owners want to control all of the UX. Persona used a pop-up which users interpret negatively. NASCAR usage has declined. Users are often surprised Persona provides the sites with their email.
If these flaws are fatal, what can feasibly carry the torch? Could one day Facebook’s Anonymous Login be truly anonymous masking activity from Facebook as well? Would Google follow suit? I know that Firefox Accounts will soon support the ability to sign in to a site with a generated UUID, but this would still require a Firefox Account, making it very different than a federated login like Persona. Curious to read your thoughts.