The fallback identity provider (at login.persona.org) does use email for password resets, but other identity providers will likely use other mechanisms.
I hope so, but why not do the right thing in the default identity provider?
Lately, there have been tons of high-profile hacks that boiled down to taking control of victim's email and resetting passwords to other accounts. What's seems to be the best response possible from web developers? Is it:
a) Demand that all your users use Gmail with enabled two-factor authentication, then smugly blame them for all security issues if they don't.
b) Stop using emails for password resets, since you don't really know how trustworthy your users' email providers are.
One of the ways crackers gain access to a user's email is by guessing their password, a simple task when a huge number of users use the same password everywhere. With Persona, only your email provider (and the persona.org fallback) have your password (two passwords in the case of the fallback), hashed or not.
If you're already a password ninja and use a different and unpredictable password on every different site without forgetting them, Persona isn't an improvement in security. If you don't, as most users don't, Persona makes authentication more secure and more user-friendly at the same time.
With Persona, your weakest point would still be your email provider, which is why it would still be wise to recommend two-factor authentication for your email.
If you're already a password ninja and use a different and unpredictable password on every different site without forgetting them, AND you have enabled two-factor authentication with your email provider, Persona IS an improvement in security. This is because, with Persona, having two-factor authentication for your email would automatically mean two-factor authentication for all your websites as well.
I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. If you opt into 2FA, you will have to "Confirm your phone". You would receive a text message with a specific code to be entered into the system. If you don't want to do this every single time, you can designate your smartphone, PC, or tablet as a trusted device and they will allow you to telesign in without the text code. Should an attempt to login from an unrecognized device happen, it would not be allowed.
Your last point is not completely accurate; with Persona and 2-factor auth on your email account, you would then have verified ownership of your email account via 2-factor authentication. This doesn't mean that every assertion generated by your Persona account will have been generated with 2-factor auth.
Because it's not the "default" identity provider, it's the "fallback" identity provider.
They're trying to define a open standard which would end up with any number of identity providers. The goal is something that can bootstrap the system into usage.
As far as what to do about users? You can't fix the problem. Nothing is going to be 100% secure, and the flesh is always going to be the biggest weakness if the machine has been well designed.
If you really want conjecture on it, though, I would suggest you first ask "Is this something tied to a citizen's identity, or a online identity?", because most things that process fiat currency in any capacity will fall into the former, and should probably merit a recovery system outside of email.
I would argue, however, that anything falling into the latter and should be handled with email.
Public key crypto has many usability problems, but it solves a lot of other problems. I wish some of the big mail providers like Google would throw some money and people at it.
That depends on the kind of services they provide. Simplest options that come to mind are nothing (like this wesbsite) or a printed reset code with owner notification on use and 1-day wait period. At the very least they can allow power users to disable password resets when they want.
Nothing is extremely painful for a federated identity protocol (although I think it should be a clear option for those of us who take these things seriously!). Printed reset codes are part of the way there, but how many people will actually save or print out the file?
SMS confirmation is another mechanism, and one that is viable in most of the world, but has a different set of risks.
I think a combination of these are a good approach, but this is a really tough problem in the identity space, and if you have any suggestions on how to improve it in a way that is viable for a large user base, your feedback would be greatly appreciated!
