Thursday, August 22, 2013

Persona Login Support - Yay!

I've added Mozilla Persona login support for http://codingbat.com -- it's a neat technology that greatly simplifies logging into sites around the internet. I think there's a good chance it really takes over, so you heard it here first! It's in a kind of "beta" state, just getting started. (Disclosure: my wife works for Mozilla).

Persona has a lot of features, so the marketing is a little all over the place IMHO. Here's the main advantages as I see them:

Convenience: You don't have to make up a new username/password/pet-name for each site. You just use whatever email address you select to be your Persona id. If you want, you can have several Persona id's and use different ones with different sites (vs. Facebook connect). Also, once you've logged into Persona once in your browser, all the other Persona enabled sites you visit just work. So there's no creating and remembering 8 zillion different accounts and passwords. Yay!

Security: the way the tech works, your password is not shared with the site you are logging in to. If a site gets "hacked".. there's nothing for the bad guys to steal! The headlines we read again and again where a site gets broken into and thousands of passwords are stolen ... Persona is intrinsically immune. Under the hood, it works with digital signatures exchanged between the sites instead of passwords.

Open: It's a free and open standard built out by the non-profit Mozilla Foundation. You can select any Persona provider or even run your own, so your identity is not put under the control of one organization (this being the big problem with Facebook connect). As a practical matter, if you use a gmail or yahoo address, it just works seamlessly, so you type in your gmail password into gmail, and that's enough for you to log in to codingbat.com or whatever. Your gmail password is only sent to gmail, and that creates digital signature which logs you into codingbat.com. This is how there's no password sent to codingbat.com for the bad guys to steal.

CS research aside: Working with Mozilla research intern Hannah Quay-de la Vallee, I implemented the login feature with an "A/B Test" to test different UI looks and collect tons of stats about which UI worked best. So if you noticed that the UI looked different on occasion, that's why. I'll write about the A/B test separately, along with some other new-codingbat-feature posts.

Edit: Also, if you have an existing CodingBat account, like say example@gmail.com, you can still click through the Persona-create flow, and it will set that account up so you can use Persona for future logins, keeping all your old history and stuff. It's the same account, just with a new log in option. As it happens, your old CodingBat password will continue to work too. If you create a new CodingBat account through Persona, then only Persona works for log ins. You can create a Persona account for any email address (just type the email address into the Persona dialog, and it figures it all out). At present, Persona is  extra-simple for gmail and yahoo addresses, as those were the first two to get a fully automated flow.


9 comments:

  1. you can still click through the Persona-create flow, and it will set that account up so you can use Persona for future log in.

    ReplyDelete
  2. Codingbat is great, but I'm really tired of logging to the website many times. I've enabled Persona to remember me, but the codingbat itself don't remember that I'm logged in for a long time, so the moment I finish an exercise - my login gets expired:(

    ReplyDelete
  3. Please excuse a newbie query... What would the result be if a person used another person's email address for a Persona login.

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I have created a codingbat account using Persona, successfully completed several exercises then logged out. When I log back in using my Persona account those exercises are not saved. This only happens when I log in using my Persona account. Is this a bug?

    ReplyDelete
  6. How is this inherently more secure than, say a Twitter/FB or Google Plus login? Three factor authentication is enabled that way too and no passwords are stored on your server in either case.

    In fact, from usability point of view, we should have multiple sign-in facilities when we design a site. So, if a user doesn't have (or doesn't want to use) a persona account, s/he can use a G+, FB or Twitter.

    ReplyDelete
  7. And btw, codingbat.com is great for practicing python and java. Now, I really wish there was one for php too!

    ReplyDelete