Is Mozilla’s Persona the Authentication System That We’ve All Been Waiting For? Probably Not.
Last week, Mozilla announced the first beta release of Persona. Persona, formerly called BrowserID, is a personal authentication system that aims to eliminate passwords to log in to web sites. Of course, you still need one master password to log in to Persona, but it takes care of every site login after that. Persona is definitely interesting, but it likely won’t be signing any death warrants on passwords just yet.
How Persona Works
One thing that Persona has going for it is that on the surface it is relatively simple. When it comes to authentication, simple is good. Here is a simplified explanation of how it works:
- You visit a site and that site asks for your identity.
- Your browser goes to persona.org (or whatever identity provider you use but for this example I will use persona.org) and asks you to enter your email address and password.
- Once authenticated, persona.org signs your public key, basically giving you a seal of authenticity that’s good for 24 hours.
- Your browser creates a document called an identity assertion, signs it with your private key, then sends that and your signed public key to the site you want to log in to.
- The site looks at the document, verifies that it was signed by you, verifies that your signature was signed by persona.org, and then verifies that persona.org’s signature was signed by a trusted authority such as Verisign or Thawte.
Note that the identity assertion is valid only for that one site, only from your current web browser, and only for the next 24 hours. At any time, however, you can logout and invalidate all currently stored sessions.
What Makes Persona Great
One thing that makes Persona unique is that the site you visit doesn’t need to communicate with persona.org directly, meaning that persona.org never knows what sites you are logging in to. Another big advantage is that it is solely based on your email address, which is much easier to remember than an OpenID URL, and which means that you can easily remain as anonymous as your email address allows. Even better, Persona is distributed so if you own your domain you can be your own identity provider.
But There Are Problems
Like any authentication system, Persona does need some serious real-world testing to prove itself and work out the bugs. The problem with Persona, however, is that the stuff that makes it so cool is also what exposes it most to attack.
For example, there is the signing key at the identity provider. Normally you want the strictest safeguards to protect any signing key. Some signing keys are so important that they are not even stored on network-accessible computers. The problem here is that in order to sign user certificates, you would need to allow the web server to access the private signing key. That usually means storing it on the web server itself.
We have all seen the news reports of user passwords stolen from a server and dumped on the Internet. But what happens if someone grabs a signing key? Basically it means they can sign any request and therefore log in as any user to any site that uses Persona. Yes, that is a pretty big issue. If I ran an identity provider, I would be terrified of taking my eyes off the monitoring consoles.
Another big vulnerability is the web browser itself. Of course, if someone’s browser is infected with malware, they already have some serious issues. But what makes Persona especially vulnerable is that such malware could do more than intercept passwords–it could authenticate it to any web site you use with Persona without any intervention on your part as long as your are logged in to Persona.
Yet another significant issue is that there is way too much room for error in implementing Persona. We have learned by now that if people can get it wrong, they certainly will get it wrong. Persona relies way too much on the implementation which means we will no doubt see plenty of vulnerabilities with identity providers, browsers, and relying parties.
A good example of this we can see on persona.org itself. When you login, it first asks for your email address to see if you are a valid user, then if you are it prompts you for your password. The problem with this two-step approach is that it makes it vulnerable to account harvesting. You always have to ask for email and password together and if one is invalid you never say which one it is.
Despite it’s potential flaws I do still like Persona. I don’t think it is the technology that will save us from having to remember passwords, but it is an important step in the evolution of secure authentication. What we learn from it is that emails are better than URLs as identifiers. We learn that it’s good to do stuff on the client side to ensure user privacy. We learn that we can easily leverage long-established and well-tested technologies without having to invent something new on the crypto side of things. Unfortunately, we also learn how incredibly difficult it still is to do authentication right.