feedback

Hi All,

We were very excited to find persona, and we quickly integrated it with our
site. We really liked the privacy protections and the slick integration
from both the user and the developer's perspective. However, after testing
it for two months, we are having to discontinue persona support. I just
wanted to provide some constructive feedback as to why we are, at least for
now, removing persona from our project. I hope these issues are resolved at
some point so that we can again use persona.

We removed persona for three reasons, in descending importance:

1. Users were often still logged in when they thought they weren't
2. Speed. by removing persona, we cut page load time by a full 1.5 seconds.
3. We could not force password entry - so all we could be assured of was
that the authorized user logged in at some point in the past, not that the
authorized user was actually performing the action.

More details:
1. Our site contains confidential information, so it is important that
users be confident that their data is secured. We found that users thought
they were logged out when they hit our logout butten (probably a reasonable
assumption). However, a subsequent user could easily log back in to our
site with their credentials because they had not logged out of persona.
Training a nontechnical to go to persona.org to log out is nontrivial. I
hope this will be resolved when browser integration is complete with some
indication whether you are logged into persona, and an easy way to log out
of persona.

2. Persona was taking approximately 600ms to initially load the script, and
then another 600ms to communicate with the server. it appears the second
communication relies on iframes that cannot start communicating until the
dom is ready. This meant that all our logic requiring authentication
couldn't occur until approximately 600ms after dom ready. By switching to a
home grown auth/auth solution we were able to remove the two 600ms calls,
and move the post-auth logic into parallel with dom generation, greatly
speeding up our site.

3. This one isn't a huge issue for us yet. Only account deletion needs to
be absolutely certain the user is who they say they are. We could
accomplish that by sending them a verification email that they had to click
on. However, once we started charging for services, we would have no easy
way to ensure sensitive actions involving payment methods were being
performed by the individual, and not just somebody who had access to that
individual's computer.

We look forward to seeing how persona develops, and we hope to be able to
reimplement soon.

Regards,

David
0
David
11/12/2012 11:09:32 PM
mozilla.dev.identity 1643 articles. 4 followers. Post Follow

6 Replies
1106 Views

Similar Articles

[PageSpeed] 54
Get it on Google Play
Get it on Apple App Store

On Monday, November 12, 2012 11:09:55 PM UTC, David Greisen wrote:
> Hi All,
>=20
> We were very excited to find persona, and we quickly integrated it with o=
ur
> site. We really liked the privacy protections and the slick integration
> from both the user and the developer's perspective. However, after testin=
g
> it for two months, we are having to discontinue persona support. I just
> wanted to provide some constructive feedback as to why we are, at least f=
or
> now, removing persona from our project. I hope these issues are resolved =
at
> some point so that we can again use persona.
>=20
> We removed persona for three reasons, in descending importance:
>=20
> 1. Users were often still logged in when they thought they weren't
[...]
> More details:
>=20
> 1. Our site contains confidential information, so it is important that
> users be confident that their data is secured. We found that users though=
t
> they were logged out when they hit our logout butten (probably a reasonab=
le
> assumption). However, a subsequent user could easily log back in to our
> site with their credentials because they had not logged out of persona.
>=20
> Training a nontechnical to go to persona.org to log out is nontrivial. I
> hope this will be resolved when browser integration is complete with some
> indication whether you are logged into persona, and an easy way to log ou=
t
> of persona.

I think I agree. Is there any case where the current sign-out behaviour is =
useful? If I sign out from a site, it's generally because someone else is g=
oing to use the same computer and I don't want them logging in as me. That =
implies that logging out should always log out of all Persona sites (or, at=
 least, prevent me from logging back into them without reentering my passwo=
rd).

Apart from developers testing their login code, I can't see any use for sig=
ning out of a single site while keeping the private key available for futur=
e logins. Am I missing something?

Thanks,
0
Thomas
12/3/2012 12:51:10 PM
On 04/12/12 01:51, Thomas Leonard wrote:
> I think I agree. Is there any case where the current sign-out behaviour is useful? If I sign out from a site, it's generally because someone else is going to use the same computer and I don't want them logging in as me. That implies that logging out should always log out of all Persona sites (or, at least, prevent me from logging back into them without reentering my password).
> 
> Apart from developers testing their login code, I can't see any use for signing out of a single site while keeping the private key available for future logins. Am I missing something?

This issue was also discussed here:


https://groups.google.com/forum/?fromgroups=#!topic/mozilla.dev.identity/stxvd9SzDc8

The reason why sign out works the way it does is that it enables Persona
to provide easy logins to sites without requiring users to enter a
password every single time. (Facebook/Twitter logins work in a similar way.)

Cheers,
Francois
0
Francois
12/3/2012 7:59:07 PM
On Mon, Dec 3, 2012 at 11:59 AM, Francois Marier <francois@mozilla.com>wrote:

>
> The reason why sign out works the way it does is that it enables Persona
> to provide easy logins to sites without requiring users to enter a
> password every single time. (Facebook/Twitter logins work in a similar
> way.)
>

True, but maybe it's worth us rethinking this? The user research we did
shows that users are very confused by Facebook/Twitter behaviors.

-Ben
0
Ben
12/3/2012 8:07:52 PM
It's not currently the same behaviour as Twitter/ Facebook though. Third pa=
rty sites won't log you in via those services automatically=2C as they do w=
ith Persona as described earlier in this thread.

I think it's fine if=2C upon requesting login=2C the site realises that the=
 token is valid=2C which is the case with Facebook/ Twitter. Persona doesn'=
t have that extra step=2C which is probably the source of user confusion.

Cheers=2C
Rikki

Sent from my Windows Phone
________________________________
From: Ben Adida<mailto:ben@adida.net>
Sent: =E2=80=8E03/=E2=80=8E12/=E2=80=8E2012 20:07
To: Francois Marier<mailto:francois@mozilla.com>
Cc: dev-identity@lists.mozilla.org<mailto:dev-identity@lists.mozilla.org>
Subject: Re: feedback

On Mon=2C Dec 3=2C 2012 at 11:59 AM=2C Francois Marier <francois@mozilla.co=
m>wrote:

>
> The reason why sign out works the way it does is that it enables Persona
> to provide easy logins to sites without requiring users to enter a
> password every single time. (Facebook/Twitter logins work in a similar
> way.)
>

True=2C but maybe it's worth us rethinking this? The user research we did
shows that users are very confused by Facebook/Twitter behaviors.

-Ben
_______________________________________________
dev-identity mailing list
dev-identity@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-identity
0
Rikki
12/3/2012 8:34:12 PM
On Monday, December 3, 2012 7:59:07 PM UTC, Francois Marier wrote:
> On 04/12/12 01:51, Thomas Leonard wrote:
>=20
> > I think I agree. Is there any case where the current sign-out behaviour=
 is useful? If I sign out from a site, it's generally because someone else =
is going to use the same computer and I don't want them logging in as me. T=
hat implies that logging out should always log out of all Persona sites (or=
, at least, prevent me from logging back into them without reentering my pa=
ssword).
>=20
> >=20
>=20
> > Apart from developers testing their login code, I can't see any use for=
 signing out of a single site while keeping the private key available for f=
uture logins. Am I missing something?
>=20
>=20
>=20
> This issue was also discussed here:
>=20
> https://groups.google.com/forum/?fromgroups=3D#!topic/mozilla.dev.identit=
y/stxvd9SzDc8
>=20
> The reason why sign out works the way it does is that it enables Persona
> to provide easy logins to sites without requiring users to enter a
> password every single time.

But why would I sign out if I just wanted to use multiple sites? I'd just l=
og in to each of them using Persona and only have to enter my password once=
..

If I sign out, it usually means that someone else is going to be using the =
computer, so I don't want it keeping the private key around.

> (Facebook/Twitter logins work in a similar way.)
0
Thomas
12/4/2012 11:12:31 AM
Thanks for raising this issue with such good descriptions of your concerns.=
 It is a sticky problem. There is a fine balance between convenience and se=
curity.

We did a competitive analysis of Sign in with Facebook to gauge how users e=
xpected logout to work. We found that roughly half believe logging out of a=
 RP also logged them out of Facebook and the other half believe it does not=
.. If there were more of an 80/20 split we could simply follow what the user=
s expected. Unfortunately, we did not find that consensus. More details on =
this study at http://skinnywhitegirl.com/blog/how-people-think-facebook-con=
nect-login-logout-work/861/

The current UX around session state was built with the assumption that the =
vast number of email addresses will be from secondary providers. With the l=
aunch of Big Tent, we must entirely reexamine these questions.=20

Expect improvements in this area and keep on asking the hard questions! I b=
elieve there is much more work to be done here.=20

Crystal Beasley
UX Designer 
0
skinny97214
12/5/2012 1:05:26 AM
Reply:

Similar Artilces:

Feedback on feedback
Name: Judy K. Email: noatemaildotcom Product: Firefox Summary: Feedback on feedback Comments: How about you actually listen to feedback. I have made suggestions in the past that have been ignored by this process. There are many deficiencies with the interface, some of them surrounding multiple users and privacy (some of them). From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

superreview requested: [Bug 182758] freebl PRNG hashes netstat and /dev/urandom data rather than just using /dev/urandom : [Attachment 236154] Update with feedback from Nelson and Wan-Teh
Julien Pierre <julien.pierre.bugs@sun.com> has asked Wan-Teh Chang <wtchang@redhat.com> for superreview: Bug 182758: freebl PRNG hashes netstat and /dev/urandom data rather than just using /dev/urandom https://bugzilla.mozilla.org/show_bug.cgi?id=182758 Attachment 236154: Update with feedback from Nelson and Wan-Teh https://bugzilla.mozilla.org/attachment.cgi?id=236154&action=edit ------- Additional Comments from Julien Pierre <julien.pierre.bugs@sun.com> - remove kprintf statements - rename max_entropy_len to max_entropy_buf_len - initialize buffered to zer...

superreview cancelled: [Bug 182758] freebl PRNG hashes netstat and /dev/urandom data rather than just using /dev/urandom : [Attachment 236154] Update with feedback from Nelson and Wan-Teh
Julien Pierre <julien.pierre.bugs@sun.com> has cancelled Julien Pierre <julien.pierre.bugs@sun.com>'s request for superreview: Bug 182758: freebl PRNG hashes netstat and /dev/urandom data rather than just using /dev/urandom https://bugzilla.mozilla.org/show_bug.cgi?id=182758 Attachment 236154: Update with feedback from Nelson and Wan-Teh https://bugzilla.mozilla.org/attachment.cgi?id=236154&action=edit ------- Additional Comments from Julien Pierre <julien.pierre.bugs@sun.com> This patch contains several changes : 1) More comments 2) CollectEntropy and R...

Devs Want Feedback
In case you missed it on the moz.dev.apps.thunderbird group, get on over and look for a message by Dan Mosedale dated 04/04/2010 "Key Thunderbird 3.1 feature feedback requested". You can provide feedback on the "new Migration Assistant" and the "new Quick Filter add-on". Deadline is Wedn. April 7, 2010. -- Annail�s On 4/5/10 6:22 AM, Annailis wrote: > In case you missed it on the moz.dev.apps.thunderbird group, get > on over and look for a message by Dan Mosedale dated 04/04/2010 > "Key Thunderbird 3.1 feature feedback requested&q...

Feedback about the feedbacking language..
Name: Product: Firefox Summary: Feedback about the feedbacking language.. Comments: I use the Hebrew version of firefox, and whenever I report a broken site, phishing & etc, it asks me to write the report in Hebrew, and probably sends it to the Hebrew support center or whatever. Frankly, I don't trust the Hebrew language for such stuff, so I post it in English, but the report is probably still sent to the Hebrew team (And I believe they can't do anything with it). Can u please let us select the language of the report we're sending? btw there's no racism ...

Identical twins not identical
From the Vancouver Sun: http://www.vancouversun.com/health/Identical+twins+actually+identical+shocking+Canadian+research+finds/4530930/story.html Here's the text: "If you thought identical twins were identical, think again. Canadian scientists have discovered that identical twins do not have identical genes, a common assumption by researchers for more than a century, and a development that could have implications into the study of medicine and human behaviour. "That assumption has been with us since the beginning of time," said Shiva Singh, a molecular...

You have feedback at feedback.com
Name: Feedback.com Product: Firefox Summary: You have feedback at feedback.com Comments: People are using feedback.com for giving feedback to your organization. http://feedback.com/view-feedback-r.php?eid=20 Thanks! Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729) From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

Feedback on feedback mechanism
Name: Robin Wylie Email: robindotwylieatgmaildotcom Product: Firefox Summary: Feedback on feedback mechanism Comments: It might be nice if clicking the "send feedback" bookmarklet didn't take you away from the page you're currently on? Maybe a new window might be better. Or a javascript based new window might be a better way of doing it. Just so the user doesn't lose the page they were on when they decided to give feedback - apart from anything else, there might be important info on that page's rendering that they may want to look at while they'...

Merging dev-gaia and dev-b2g into dev-fxos
--001a113ce93ebce35d051e4c0c73 Content-Type: text/plain; charset=UTF-8 Hello people of Firefox OS, After a discussion we have decided that the distinction between dev-gaia and dev-b2g mailing lists is not enough to warrant maintaining two lists. So we are deprecating both in favor of dev-fxos. So if you are subscribed to one of the aforementioned lists, you will be subscribed to the new dev-fxos list and we will shortly be decommissioning dev-gaia and dev-b2g. Thanks! Michael --001a113ce93ebce35d051e4c0c73 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: qu...

Feedback and Feedback Problem
Name: Peter Lehner Email: lehnerus2000atyahoodotcomdotau Product: Firefox Release Candidate Summary: Feedback and Feedback Problem Comments: Hi Guys I wanted to send some feedback on Firefox 4, but I was directed to a page that said Forbidden (403). Feedback You should include more nfo in the screen tips. e.g. Ctrl+Reload - duplicate a Tab Ctrl+Back - opens previous page in a new Tab Ctrl+Forward - opens "next" page in a new Tab etc. I only discovered these, by accident, a few months ago. It would only be an extra line in a screen tip. Peter Lehner ...

Merging dev-gaia and dev-b2g into dev-fxos
--001a113ce93ebce35d051e4c0c73 Content-Type: text/plain; charset=UTF-8 Hello people of Firefox OS, After a discussion we have decided that the distinction between dev-gaia and dev-b2g mailing lists is not enough to warrant maintaining two lists. So we are deprecating both in favor of dev-fxos. So if you are subscribed to one of the aforementioned lists, you will be subscribed to the new dev-fxos list and we will shortly be decommissioning dev-gaia and dev-b2g. Thanks! Michael --001a113ce93ebce35d051e4c0c73 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: qu...

Dev site not running under ASPNET identity
VS2005IIS 5.1Win XP Pro Hi I originally posted at the below link but I think that this is the more appropriate forum.http://forums.asp.net/thread/1326146.aspx The gist is that the site on my dev machine is running under the account I am logged in with (MyDomain\pootle.flump). I would like this to actually be the ASPNET account so I can start setting up appropriate permissions on the data sources. Is this reasonable? If so - how can I accomplish this? From help:On earlier versions of IIS, (in Windows 2000 and Windows XP Professional), ASP.NET runs in the ASP.NET worker process (aspnet_w...

[PATCH] File::Path::mkpath, /dev, /dev/dir and /dev/000000 changes
While fetching GD with CPAN.PM, I ran into some problems with File::Path::mkpath, in particular with rooted logicals: $ define/job/trans=conceal root_abcd_1 disk:[perl.cpan.build.id.blah.] mkpath('/root_abcd_1/lds') fails with a "invalid parameter" error when it tries to mkdir('/root_abcd_1'). There's a test in the code for a '000000' directory, but not for the lack of a directory....I suspect that the test was put in to prevent endless loops, prior to a modification of the File::Basename code. So here's a change that does the...

Changing from Non-IDENTITY to IDENTITY
hi, i am using sql server express edition. i have a table , and i have set one of the column  as int identity(1,1) i have uploaded the data from excel file using import export wizard ...so i have removed the identity from that column. now how can i change that column back to identity(1,1) thanks s per my knowledge, I think its not possible to add identtiy property to a column later   Csharp22:i have uploaded the data from excel file using import export wizard ...so i have removed the identity from that column.when uploading data from excel, instead of removing identity f...

Identity Specification (Is Identity)
Could someone please show me how to configure the following to work when I have my ID field in my table set to "Is Identity"?  Thanks for the help. Default.aspx <%@ Page Language="VB" AutoEventWireup="true" CodeFile="Default.aspx.vb" Inherits="_Default" %><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"><title>Untitled Page</title> </head>...

Web resources about - feedback - mozilla.dev.identity

Feedback - Wikipedia, the free encyclopedia
This article is about mechanistic circular causality. For behavioural reinforcement and personal feedback, see reinforcement . For othfjter uses, ...

Feedback - Wikipedia, the free encyclopedia
There has been over the years some dispute as to the best definition of feedback. According to Ashby (1956), mathematicians and theorists interested ...

Newest Facebook Messenger For IOS Update Includes Feedback
... applications are coming fast and furious. Monday, Facebook announced an update to its Messenger for iOS devices that lets users give feedback ...

Thanks For Your Feedback
... Use Policy, Statement of Rights and Responsibilities Take Effect by Erin Egan, Chief Privacy Officer, Policy Thank you for providing feedback ...

Using Feedback to Shape Distribution
Announcing improvements to our enforcement systems that will provide more user feedback directly to developers and will use that feedback to ...

Facebook asks users for feedback on News Feed, On This Day feature
Facebook constantly wants to know how users feel about features. AllFacebook recently noticed that Facebook is polling users on their News Feed ...

Taxi industry’s epic social media fail in request for passenger feedback - HeraldSun Search Search
IT is being dubbed a social media disaster — the taxi industry has been given #epicfail for asking taxi passengers to tell the industry about ...

'It's good to get some constructive feedback': Malcolm Turnbull shrugs off party ridicule
Prime Minister Malcolm Turnbull has tried to laugh off the awkwardness of a Liberal Party meeting on Saturday, where he was laughed at by party ...

Kyocera’s ‘Haptivity’ will bring force feedback to touch screens
With Haptivity, Kyocera claims they can achieve the closest to actual "real touch feeling and force feedback" any touch screen has ever accomplished. ...

ZTE Takes Consumer Feedback to Heart and Adds Two New Axon Smartphones to Lineup
ZTE USA, the fourth largest smartphone supplier in the U.S. and second largest in the no-contract market*, today announced two new additions ...

Resources last updated: 11/23/2015 5:20:27 AM