You are reading a single comment by @bq and its replies.
Click here to read the full conversation.
-
One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication
Do you have citations of this from security experts?
-
One of the main criticisms of Persona...
Every site you log in to has a list of potential vulnerabilities as long as your arm. The only sensible thing to do, whether this site uses the irritating persona method or the lovely old 'form on every page', is to have a separate user name and password for every site. That way, if your LFGSS log in is hacked, you only have to suffer the mild embarrassment of being impersonated here.
Velocio
gbj_tester
@bq
@Velocio One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication. It gets users used to trusting and typing in their passwords into popup windows, which they shouldn't. I'm curious to know why you think that that is not only a positive, but a necessity.
The other issue is that it uses Javascript, cookies or local storage, none of which are that secure and all of which can be spoofed. I'm no expert on server and security matters, but I understand that it is not as secure as a form posting directly to a back-end API that performs it's own authentication with the server. What is your take on that?
Also, does the fact that Mozilla have abandoned Persona development concern you?