Confirm
358
edits
Changes
Add initial information about persona.org shutdown
When the Mozilla Identity team [http://identity.mozilla.com/post/78873831485/transitioning-persona-to-community-ownership transitioned the Persona login system to community ownership], we committed resources to operational and security support throughout 2014, and [https://groups.google.com/forum/#!topic/mozilla.dev.identity/rPIm7GxOeNU renewed that commitment for 2015]. Due to low, declining usage, we are reallocating the project’s dedicated, ongoing resources and will shut down the persona.org services that we run.
The persona.org services run by Mozilla will be shut down on November 30th 2016.
This page exists to help website owners migrate their sites away from persona.org. Don’t hesitate to reach out to us on the [https://lists.mozilla.org/listinfo/dev-identity dev-identity mailing list] and in the [irc://irc.mozilla.org/#services-dev #services-dev IRC channel] for additional support.
== FAQs ==
=== Why is persona.org being shut down? ===
Our metrics show that usage of persona.org is low, and has not grown over the last two years.
Hosting a service at the level of security and availability required for an authentication system is no small undertaking, and Mozilla can no longer justify dedicating limited resources to this project. We will do everything we can to shut it down in a graceful and responsible manner.
=== What will happen in the meantime? ===
Between now and November 30th, 2016, Mozilla will continue to support the Persona service at a maintenance level:
Security issues will be resolved in a timely manner and the services will be kept online, but we do not expect to develop or deploy any new features.
Support will continue to be available on the [https://lists.mozilla.org/listinfo/dev-identity dev-identity mailing list] and in the [irc://irc.mozilla.org/#services-dev #services-dev IRC channel].
All websites that rely on Persona will need to migrate to another means of authentication during this time.
=== What happens after that? ===
On or after November 30th, 2016, the services hosted by Mozilla on persona.org will be taken offline. This includes the persona.org website, the javascript shim, the fallback IdP and identity bridges, and the hosted verifier.
Mozilla will retain control of the persona.org domain and will not transfer it to a third party. This is a security measure to protect websites that have not completed their migration away from the service.
All user data stored on the persona.org services will be destroyed, including registered email addresses and password hashes. Since the privacy of user data is of utmost importance to Mozilla, we will not transfer it to any third parties.
=== What about the code? ===
All of Persona's code -- core, bridges, shims, and more -- is open source and remains [https://github.com/mozilla/persona available on github]. Though this marks the end of Mozilla's direct involvement in Persona, we encourage others to continue learning from and building upon our work.
== Migration Suggestions and Guidelines ==
The following alternative login options are available for sites migrating away from Persona. We will continue to update this page throughout the year.
Mozilla-hosted sites may find additional, staff-login-specific migration options on the [https://mana.mozilla.org/wiki/display/Identity/Persona+migration+guide+for+internal+sites internal mana page].
=== Delegated Authentication Providers ===
Many large email and service providers offer delegated login for third-party applications, including Google, Facebook and GitHub. Indeed, we have found that many sites currently using Persona also offer login via one or more of these services. While these services do not offer equivalently-strong privacy guarantees to Persona, they are a convenient and secure choice for users since they avoid the creation of a site-specific password.
We plan to offer delegated authentication with Firefox Accounts some time in 2016. If you’re interested in adding Firefox Accounts as a login option to your site, please reach out to us on the [https://mail.mozilla.org/pipermail/dev-fxacct/ dev-fxacct mailing list].
=== Site-Specific Accounts ===
Many web frameworks offer password-based user accounts functionality out-of-the-box. Although it requires users to create and remember yet another password, it can be a good choice for users who do not have (or do not wish to share) an account with a delegated authentication provider.
For existing users who previously authenticated with Persona, you could consider authenticating them through Persona again to confirm their email address, then prompting them to create a site-specific password.
=== Passwordless Email Login ===
As an alternative to setting a site-specific password, you can allow users to login directly via email link, as described in [https://hacks.mozilla.org/2014/10/passwordless-authentication-secure-simple-and-fast-to-deploy/ this article] and implemented by libraries like [https://passwordless.net/ passwordless]. This can avoid the security implications of users having to create and manage another password, and may be a good fallback option when used in combination with delegated authentication providers.
=== Self-hosting Persona ===
Since the code for Persona is open-source, it would be possible for reliers to self-host an instance of the service that is dedicated to their own use.
This approach is not recommended most reliers. Persona has a large and complex codebase that has not seen significant development in several years, and Mozilla will not provide security or maintenance updates after 30th November 2016.
=== More? ===
We encourage affected reliers to document any alternative solutions here and to discuss them on the dev-identity mailing list, so that others can benefit from their experience.
The persona.org services run by Mozilla will be shut down on November 30th 2016.
This page exists to help website owners migrate their sites away from persona.org. Don’t hesitate to reach out to us on the [https://lists.mozilla.org/listinfo/dev-identity dev-identity mailing list] and in the [irc://irc.mozilla.org/#services-dev #services-dev IRC channel] for additional support.
== FAQs ==
=== Why is persona.org being shut down? ===
Our metrics show that usage of persona.org is low, and has not grown over the last two years.
Hosting a service at the level of security and availability required for an authentication system is no small undertaking, and Mozilla can no longer justify dedicating limited resources to this project. We will do everything we can to shut it down in a graceful and responsible manner.
=== What will happen in the meantime? ===
Between now and November 30th, 2016, Mozilla will continue to support the Persona service at a maintenance level:
Security issues will be resolved in a timely manner and the services will be kept online, but we do not expect to develop or deploy any new features.
Support will continue to be available on the [https://lists.mozilla.org/listinfo/dev-identity dev-identity mailing list] and in the [irc://irc.mozilla.org/#services-dev #services-dev IRC channel].
All websites that rely on Persona will need to migrate to another means of authentication during this time.
=== What happens after that? ===
On or after November 30th, 2016, the services hosted by Mozilla on persona.org will be taken offline. This includes the persona.org website, the javascript shim, the fallback IdP and identity bridges, and the hosted verifier.
Mozilla will retain control of the persona.org domain and will not transfer it to a third party. This is a security measure to protect websites that have not completed their migration away from the service.
All user data stored on the persona.org services will be destroyed, including registered email addresses and password hashes. Since the privacy of user data is of utmost importance to Mozilla, we will not transfer it to any third parties.
=== What about the code? ===
All of Persona's code -- core, bridges, shims, and more -- is open source and remains [https://github.com/mozilla/persona available on github]. Though this marks the end of Mozilla's direct involvement in Persona, we encourage others to continue learning from and building upon our work.
== Migration Suggestions and Guidelines ==
The following alternative login options are available for sites migrating away from Persona. We will continue to update this page throughout the year.
Mozilla-hosted sites may find additional, staff-login-specific migration options on the [https://mana.mozilla.org/wiki/display/Identity/Persona+migration+guide+for+internal+sites internal mana page].
=== Delegated Authentication Providers ===
Many large email and service providers offer delegated login for third-party applications, including Google, Facebook and GitHub. Indeed, we have found that many sites currently using Persona also offer login via one or more of these services. While these services do not offer equivalently-strong privacy guarantees to Persona, they are a convenient and secure choice for users since they avoid the creation of a site-specific password.
We plan to offer delegated authentication with Firefox Accounts some time in 2016. If you’re interested in adding Firefox Accounts as a login option to your site, please reach out to us on the [https://mail.mozilla.org/pipermail/dev-fxacct/ dev-fxacct mailing list].
=== Site-Specific Accounts ===
Many web frameworks offer password-based user accounts functionality out-of-the-box. Although it requires users to create and remember yet another password, it can be a good choice for users who do not have (or do not wish to share) an account with a delegated authentication provider.
For existing users who previously authenticated with Persona, you could consider authenticating them through Persona again to confirm their email address, then prompting them to create a site-specific password.
=== Passwordless Email Login ===
As an alternative to setting a site-specific password, you can allow users to login directly via email link, as described in [https://hacks.mozilla.org/2014/10/passwordless-authentication-secure-simple-and-fast-to-deploy/ this article] and implemented by libraries like [https://passwordless.net/ passwordless]. This can avoid the security implications of users having to create and manage another password, and may be a good fallback option when used in combination with delegated authentication providers.
=== Self-hosting Persona ===
Since the code for Persona is open-source, it would be possible for reliers to self-host an instance of the service that is dedicated to their own use.
This approach is not recommended most reliers. Persona has a large and complex codebase that has not seen significant development in several years, and Mozilla will not provide security or maintenance updates after 30th November 2016.
=== More? ===
We encourage affected reliers to document any alternative solutions here and to discuss them on the dev-identity mailing list, so that others can benefit from their experience.
