113: Meet Dan Callahan from Mozilla Persona

"Kill the password" - privacy on the web - Dan Callahan is part of the Identity Team at Mozilla who are trying to solve some of the problems of privacy and security on the Internet that have been hitting the headlines recently. Dan works on the Mozilla Persona project, a system to both replace passwords with verified identities and put that verification under user control, rather than the control of large corporate entities.

Background: Now is the time for more privacy

Security and privacy online are now a concern for more people than ever, following the highly publicized revelations of mass – probably illegal in some cases – data collection by the NSA, the British GCHQ, The German BND, and others. I am personally unhappier than ever to have to entrust 3rd parties with my login credentials since my Adobe login was one of millions improperly stored by the company, stolen, and now released publicly. I have had to update numerous passwords after several sites contacted me saying basically, "Hey, we reset your login credentials because your name was on that Adobe list we saw." This was unsettling to say the least and put a bit of a ding in my productivity.

The password must die

Today's "social sign-ons" as offered by Facebook, Google, Twitter and others, offer users a fast, password-free login experience across sites, but have a significant problem. As Dan puts it, "The cost there is that I have to send all of my data, all of my logins through some central third party, usually an American advertising company. We think we should be able to find a way to give you the same login experience as Facebook or Google, but with the ability to still choose who you are."

"Most social auth. systems 'phone home' every time you want to log in," the system is informed of every site I visit and asked to confirm my identity, "Every single login is traceable. Every single login phones home. It's amazing profile data to gain: To see where people are logging in, how often they're logging in there ... But most sites that move to social auth. aren't reaping any benefit from the profile data they get. All they're doing is wanting to have some way to log in where they don't have to worry about storing user passwords, because it is very, very hard to do that," as I had confirmed for me by Adobe recently.

Dan has a message for developers: "There is a 3rd choice. There is something that gives them all of the ease of social auth., but without the privacy downsides, without the limitations. If your users aren't comfortable using Facebook, and that's the only option you give them, you're immediately cutting potential customers out of your site."

Users must own and control their own identities

"Is it worth giving up privacy in order to have convenience, in order to have ease of use? Maybe not." The Persona system establishes users' identities by querying a trusted source (an email provider) using public key cryptography, and then storing that in the browser, not on 3rd party servers. "The browser holds that identity and can show it to a site and the site can validate the email provider's signature and log you in." Your identity provider never knows what you are doing with your identity. "We build this wall between proving your identity and logging in somewhere."

"The core idea behind Persona is that browsers are capable. They have very competent, fast Javascript engines. With facilities like local storage, we can make the browser an active participant in the login transaction. We hope to get this standardized and present it to the W3 and have Firefox support it natively. Right now, we use a Javascript polyfill that works in all browsers, but our ambition is for Persona to be the next standard of authentication on the Internet, built straight in the browser."

Mozilla: open source, open standards

Dan talks about Mozilla's mission as one of ensuring the web remains "an open, pubic resource and that there's a voice for real people and the public interest at the table [in determining] where this medium that is possibly the most transformative and democratizing publishing platform since the printed page ... to ensure that that remains something that is good for all and not just driven by corporate interest. Open source is the only way to achieve that. It's the only way that Mozilla can do what it can do. We're ensuring that we're fighting lock-in; we're ensuring that the web is built on open standards."

By the same token, Dan compares today's mobile OS landscape to the AOL/Compuserve or Microsoft/Netscape divisions of the early Internet. He suggests that the Firefox OS – a web-based OS – for mobile devices could be the answer to breaking down the walls between today's different mobile operating systems.

On Drupal 8

"The Drupal community's split mandate of serving both developers and site builders is extremely fascinating. It is something I haven't seen in other products. It's a unique conversation," going on in Drupal development circles, "It's really fascinating to see the value that this community places on accessibility to non-wizards." :-)

"The entire discussion of moving towards a more object-oriented design for Drupal, and bringing in things like Symfony and more common tools in the PHP world: I can only see that leading to good things for Drupal because it allows easier exchange of information and skills between the Drupal community, the broader PHP community, and between the broader software community. If you are using patterns that are common in the entire industry, you can attract people from all over."