Mozilla: Unlike FB and Twitter Single Sign-in, Persona Protects User Privacy 81
tsamsoniw writes "Mozilla today unveiled Persona Beta 2, the newest edition of the organization's open authentication system. The release includes Identity Bridging, which lets user sign in to Persona-supported sites using their existing webmail accounts, starting with Yahoo. Mozilla used the release as an opportunity to bash social sign-in offerings from Facebook and Twitter, which 'conflate the act of signing into a website with sharing access to your social network, and often granting the site permission to publish on your behalf,' said Lloyd Hilaiel, technical lead for Mozilla Persona. He added that they are built in such a way that social providers have full visibility into a user's browsing behavior."
I'd rather have multiple authentication realms (Score:5, Interesting)
The biggest thing I have against single-sign-on is that I need different levels of security for different sites, and I want to keep the sites compartmentalised from each other.
For instance, I want high security for my email account and access it only from computers/devices that I have control over.
However, I have private playlists on Youtube that I may want to show to a friend, on a third guy's (two degrees of separation) computer. I don't want to have to be afraid of logging into Youtube on that machine because that computer would also get access to my email.
When I am on my trusted home computer, having different accounts for different things can get cumbersome with those sites that force single-sign-on on you!
Yes, while I could use the Incognito mode in Chromium to separate my logins -- it does only separate [i]two[/i] sites, and I would have to login each time I need a new window in incognito mode.
It would be much more convenient if I could have different "realms" or "personas", where I could browse each site in its own realm.
Re:Not google? (Score:5, Interesting)
So, if I am reading that right, personas do not directly leak every login to a central database. But, it does use the same id across different websites so if the website used a service to cross-reference ids with other websites the net result would be the same.
Given the massive proliferation of trackers that we already have, I think we would quickly see them include persona id tracking too.
Re:Stop making it easier to require sign-ins (Score:4, Interesting)
Re:Not google? (Score:4, Interesting)
It's actually more private than that. Without knowing all the nitty gritty details - if an app follows Google's process for signing up users, that user gets a unique OpenID specific to that app via a common 'discovery' url.
That way all the apps you sign up for can't really connect you with anything else.
It is a slight pain for open standards though - Google is making it much harder to know what your standard OpenID actually is.