You are reading a single comment by @motter and its replies.
Click here to read the full conversation.
London Fixed Gear and Single-Speed is a community of predominantly fixed gear and single-speed cyclists in and around London, UK.
This site is supported almost exclusively by donations. Please consider donating a small amount regularly.
@motter
The conversation with Mozilla on Friday was interesting. It was mostly a user interview so that they could gather feedback on our experience using Persona for Microcosm, but they also spent some time answering my questions.
For two-factor authentication it's worth explaining how the protocol works first. When you log in to a site using Persona, this results in the domain that supplies your email account being asked a question, which is essentially "how do I know this user owns this email address?". The domain responds with this file:
https://developer.mozilla.org/en-US/docs/Mozilla/Persona/.well-known-browserid
Which tells Persona things like where to redirect the user to identify themselves (e.g. a login page) and some other information about how to verify the identity.
So if your email address ends with example.org, Persona will hit example.org/.well-known/browserid to fetch that information.
But if your domain doesn't serve that file, Mozilla provides a "fallback provider" which will authenticate a user with any email address. That's when you get asked for a password in the Persona popup (and you can see your account here: https://login.persona.org/).
With the new Google Account bridge this doesn't happen - it relies on your login status with Google.
The upshot is that we can, at some point, implement that fallback provider ourselves (or pay someone else to do it) with two-factor authentication support.
I don't know the implementation details of the bridge with Google Accounts very well (it is here: https://github.com/mozilla/browserid-sideshow), but it is my suspicion that adding two-factor authentication to that flow would be difficult, and wouldn't add much protection since Google has already verified your identity using two-factor authentication if you have it turned on. So even if we were to implement a fallback authority with two-factor support, it might not do anything if you used a Google Account with it. (see edit though)
Based on the phone call last week, Mozilla don't have plans to add two-factor authentication to their own fallback provider as they are keen to have email providers do the authentication part.
Gory details of the provisioning flow are here: https://github.com/mozilla/id-specs/blob/prod/browserid/index.md#identity-provisioning-flow
I'm just chatting with them again in the irc channel about a few other things so will write them up here as I know more (e.g. Android SDK).
Edit: the other thing is we could always add two-factor auth with something like Google Authenticator after the Persona bit finished. Could be a good future option and it wouldn't matter what type of account was used beforehand.