You are reading a single comment by @Velocio and its replies.
Click here to read the full conversation.
-
One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication
Do you have citations of this from security experts?
Velocio-
http://www.opine.me/mozilla-persona-browserid-is-a-step-in-the-wrong-direction/
To be fair I don't know if the author is a security expert. He might be a total numpty on security matters for all I know.
bq
@Velocio One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication. It gets users used to trusting and typing in their passwords into popup windows, which they shouldn't. I'm curious to know why you think that that is not only a positive, but a necessity.
The other issue is that it uses Javascript, cookies or local storage, none of which are that secure and all of which can be spoofed. I'm no expert on server and security matters, but I understand that it is not as secure as a form posting directly to a back-end API that performs it's own authentication with the server. What is your take on that?
Also, does the fact that Mozilla have abandoned Persona development concern you?