Identity

From MozillaWiki
Jump to navigation Jump to search


Get Involved

Reach out to us


Learn more about Persona


Follow us on


Help us out by

Vision

Central to a people-centered ecosystem is an identity system that is under the control of the individual, and enables information sharing on the users own terms with no take-it-or-leave-it policies. To this end, Mozilla is building an identity system for the Web that has these properties.

The first service we're building, Persona, enables users to easily sign into websites using their existing email address in a secure and privacy-protecting way, with no additional passwords. For developers, it offers a very easy to implement API, and a verified email address they can use to communicate with the user.

User identities encompass much more than just an email address, of course, and so the next components of the Mozilla identity system will include payments, profile and data sharing on the users terms and more.

Identity Design Principles

draft 01 APR 2013

Account as relationship, not mechanism

We've used the metaphor of a lock and key for passwords. This is too cold and impersonal. It is an abstraction that serves the cold metal of hardware, but does nothing to help you build a relationship with the person. A more useful way to think about an account is that it allows a computer to identify this person, much like a doorman who can recognize a familiar face and recall their shared history to have a meaningful conversation.

Hierarchy of Needs

These are presented in order from lowest to highest level of user needs. They start with basic and move to more complex.

Reliability

I want access to my information 100% of the time, wherever I am. And don't blame me for unreliable service! The service should be percieved to be reliable.

  • Can access when and where needed.
  • Data is safe from unintentional loss.
  • In-browser password manager is allowed to function normally, not disabled.

Safety

At all points of centralization, the service should be resistant to attack. The service should be perceived as secure/protected.

  • Passwords stored securely.
  • If I lose my device and attacker cannot remotely wipe another machine.
  • Information from one account cannot be used to hack another site

Proportionality

The approach you use should be appropriate to the threat.

  • Password character requirements should be reasonable. Don't ask for 72chars, capital + number that rotates every 90 days unless you are a high-risk target.
  • Keep user logged in for long sessions unless you are a high-risk target.

Creating a supportive environment

Don't treat me as an intruder in my own house. Tone should be human and recognize that remembering credentials is a difficult thing to do. Be polite and forgiving of imperfect memory.

  • Error messages should have positive tone. Shaming language around forgetting password only create unnecessary stress.
  • After login it redirect user to where there intended to go.
  • Remember my configurations.
  • Clear how to access self help documents and forums.

Be the user's trusted agent

Provide a safe and secure way to take your information around the web

  • Easy access to contacts, contents of your "wallet."

Responsibilities of Relying Party sites

There are several issues which are directly related to accounts which are outside the scope of Persona. These are guidelines for relying party sites implementing Persona.

  • Site reflects whether the user is logged in or not.
  • Rules are clear when and why I need to log in or out
  • Usernames should only be used if you have public-facing content that needs to be anonymous.
  • Site has clear policies about who has access to and who owns user data.
  • Site employs ethical practices around what they do with user data and data portability.
  • Changes to terms and privacy policies are presented with clear language.

Identity Speaks: Upcoming Conference Schedule

Interested in Persona? Check out Dan Callahan's presentation at PyCon 2013 Beyond Passwords: Secure Authentication with Mozilla Persona

Conference Presentation Details Date Location Presenter
Libre Software Meeting Mozilla Persona for your domain July 10, 2013 Brussels, Belgium Francois Marier
Open Web Camp Mozilla Persona: Simplified sign-on July 13, 2013 San Jose, California Vlad Filippov
WDCNZ Taking the pain out of signing users in July 25, 2013 Wellington, New Zealand Francois Marier
PyCon Canada Quick Wins for Better Website Security August 10, 2013 Toronto, Canada Dan Callahan
Ember Fest EU Forget Passwords, Use Persona August 30, 2013 Munich, Germany Dan Callahan

Meet the Identity Team

Name Title Location
Andy Chilton Developer New Zealand
Austin King Developer Washington
Brian Warner Developer California
Chris Karlof Developer California
Crystal Beasley Lead UX Designer Oregon
Dan Callahan Developer Relations and Documentation Minnesota
Danny Coates Developer California
Edwin Wong QA California
Francois Marier Developer New Zealand
Gene Wood Operations California
Hannah Quay-de la Vallee Intern 2013 San Francisco
James Bonacci QA California
Jared Hirsch Developer California
Jed Parsons Developer California
John Gruen UX New York
John Morrison QA California
Karl Thiessen QA California
Katie Parlante Developer California
Lloyd Hilaiel Director, Identity Department Colorado
Ryan Feeley UX Designer Toronto
Ryan Kelly Developer Australia
Ryan Seys Intern 2013 San Francisco
Sean McArthur Developer California
Shane Tomlinson Developer United Kingdom
Tauni Oxborrow Program Manager California
Vlad Filippov Intern 2013 San Francisco
Zach Carter Developer California

Identity Projects

A complete & updated Identity project list with links to appropriate wiki pages coming in July 2013

  • Identity UX
  • Native FXOS & B2G - updated page coming soon
  • Persona Analytics
  • Profile in the Cloud (PiCL) - updated page coming soon
  • Signin to the Web - updated page coming soon
Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/index.php?title=Identity&oldid=674086"