"For improved protection, we are working on two-factor authentication in future beta versions," Adida said. Two-factor authentication requires something the user knows, like a password, and something the user has, like a hardware device or a mobile phone. Without having both of these elements, an attacker cannot gain access to an account.
Mozilla has also implemented a session protection mechanism in order to limit the security risks that can arise if a user's laptop is stolen while he's still logged into persona.org or if a user forgets to log out of persona.org after using a public computer.
"Users simply need to go change their password from any other computer, and any existing Persona sessions are then locked out and can no longer be used to authenticate the user," Adida said.
"When a user enters their Persona password on a computer they haven't used before, the session is initially just 5 minutes long," he said. "Extending it requires typing in the password again, at which point we prompt the user to tell us whether this computer is theirs or is public."
Persona still has a long way to go until it becomes a practical authentication alternative. First of all, Mozilla needs to convince website developers and important Web services providers to adopt the system and implement it as an option into their websites. In order to facilitate this, a new and easier-to-use Persona API (application programming interface) was launched in August.
"If you are a developer, now is the time to try Persona out. Persona is an open source project and we gladly welcome input and collaboration from the broader community via our mailing list or our IRC channel," the Mozilla Identity team said Thursday in a blog post.