I desperately want to like Persona, the decentralized login system created by Mozilla, but it needs to evolve. It's such an awesome and long-overdue concept: who wouldn't want a relatively secure way to use one login/password for all their web services? If it became popular enough, it could even put password managers out of business.
I even went so far as to implement it on a couple of my sites. After a couple months, I found myself reverting the sites back to using my own login system. There are two main problems with it, from my perspective, and they're dealbreakers:
- It needs white-labeling. I know that branding drives adoption, but showing the Persona name on the login box at all is too much; it needs to be transparent for the user. Most of the visits to any website are first-time visits, which means the user is seeing your site/brand for the first time. Introducing another brand at the sign-up point is a confusing distraction to the user.
- It needs an API. I don't know if at this point the popup window is a technical necessity, but in addition to being last decade's fashion, popups are frankly annoying.
Even if (perhaps especially if) your application is merely glue that connects other APIs and libraries, you want, at least initially, to advertise as few of them as possible to your user. Selling the sizzle instead of the steak means persuading the user that your app is cool because it's personally beneficial, not that it's cool because it's built with bootstrap/jquery/ajax/rest/json/persona. You may use google apps to handle your corporate email, but that doesn't mean you want a signature on every email advertising that you don't handle your own mail.
Stripe is a perfect example of how it should be done: as transparently as possible. When you use Stripe as a payment processor, even though they do all the heavy lifting, there doesn't need to be anything on your website indicating that. It's your choice whether to say on your payment form that payments are handled by Stripe. The guys at Stripe don't force that on you.
Stripe is also designed around their API. It's the core feature of their product. As it should be with Persona: with the proper API, developers would be free to implement Persona login without actually using the Persona popup window. I know that the majority of Mozilla's effort right now is probably focused on public awareness and identity provider establishment, so perhaps an API is planned for the future. But no matter how many identity providers there are, Persona will only truly succeed if web developers adopt it en mass, so that Persona is as common as the Facebook like button.
Users want the simplicity of single sign-on. Facebook login, Google login, and OpenID all prove it. Tying it to your email provider is the perfect implementation, because email is the authentication-of-last-resort for almost all web services today anyway. I know that I personally have over 100 account credentials saved in my password manager, and I would love to replace a lot of those with a single Persona login. But as much as I want Persona to succeed, their roadmap seems unclear and I'm not sure they're focusing on the right things. Right now, it's just too much to ask of my users. I hope that changes to where it's something to ask of me, and my users don't really notice that I'm using persona at all. Then it will go on every website I operate.