Secure WordPress Logins with Mozilla’s Persona (BrowserID)

Secure WordPress Logins with Mozilla’s Persona (BrowserID)

The Mozilla Persona (BrowserID) plugin allows you to login to WordPress websites without entering a password. You can use any number of email addresses to login to any number of WordPress sites.

WordPress registrations aren’t handled by the plugin, only logins.

BrowserID Example, with Screenshots

Mozilla Persona is simple. You tell Persona what your WordPress user account email address is; Persona sends you an email to verify you own that address; and it logs you in as the WordPress user associated with that email address. Here it is in action…

Step 1

Install and Activate the BrowserID plugin.

Step 2 (optional)

Customize the plugin’s settings. If you skip this step, the default settings will be used, shown in these screenshots.

The BrowserID plugin's wp-admin settings

Step 3

Logout and go back to the Login page to see the Mozilla Persona “Sign in” button.

Mozilla Persona (BrowserID) on WordPress Login Page

Step 4

Click “Sign in” to bring up the Persona login window.

WordPress Mozilla Persona Login pop-up

Step 5

Enter the email address of your wp-admin user account. When prompted, create a password for your Mozilla Persona (BrowserID) account. Then you’ll receive an email at that address to verify you own it. Leave the Persona pop-up window open while you click the email verification link and the pop-up window will close a second later and automatically log you in.

Click the link to verify your ownership of this email address and your intent to use it to sign in to the specified website

Multiple email addresses, Multiple websites to login to

If you have more than one blog to login to but use different email addresses, you can add additional email addresses to the same Persona account while using the same Mozilla Persona password you created before. This avoids having multiple Persona accounts to keep track of.

How does Mozilla Persona work?

“Mozilla Persona (BrowserID)” uses its own secure website (not your WordPress website) as the sign-in server. It keeps you logged in with browser cookies (like your WordPress site does). If you clear your browser cookies, you’ll be signed out of BrowserID.

If you’re signed in to BrowserID, you won’t need to enter a password to login to your WordPress sites. You sign in once to Persona (per web browser, since each browser has its own set of cookies) and then you can sign in to any of your WordPress sites, or any other site that supports BrowserID.

Tip to make sure you use a single Persona account

If you’re signed out of BrowserID and try using it to login to a site you haven’t setup before (e.g. WordPress user email is ‘[email protected]’), I suggest trying to login with your BrowserID email (e.g. ‘[email protected]’) even though you know there’s no WP user with that email address. That way, you’ll be signed in to BrowserID and get a message that your login to the WP site was unsuccessful. Then you can try signing in again and you’ll see the “Add another email” button on the Persona pop-up, and you can go from there. Doing this will ensure you don’t create separate Persona accounts for each email address; thus, you’ll have multiple email addresses to choose from but only need to remember a single Persona account password.

Alternatively, if you don’t want to attempt logging in with this wrong email address, you could just navigate to the Persona account website, add an email address there, and then sign into your website.

BrowserID compared to other 3rd party login solutions

Facebook

The BrowserID solution is very similar to the blue Facebook “Log In” button we see on many sites. However, you don’t need to create a separate Facebook app for each of your WordPress websites.

WP Engine’s MixBoardPortalPanelPress

I previously discussed WP Engine’s MixBoardPortalPanelPress, a free “portal” to register your WP sites. It’s designed for you to have a single place to login — if you need to login to any one of your sites, just login to the WP Engine Portal (with either Facebook or Twitter) and then you can click to be automatically logged in.

The WP Engine Portal is a different approach. If you like having one URL to go to where you can one-click-sign-in to all your sites, WP Engine Portal is probably for you. However, it’s only able to tie to a single WP user per site. Only one user can use WP Engine Portal to sign in because, in the plugin’s settings, you have to tell the plugin which user to log you in as when you come from the Portal.

BrowserID enables multiple users to sign in securely, since WordPress doesn’t allow accounts with duplicate email addresses.

WordPress won't allow duplicate email addresses

If you have multiple users that are all just you with different permissions for testing, you could easily use BrowserID to specify which user to sign in as, based on which email address you tell Mozilla Persona to sign you in as. Unrelated to the BrowserID plugin, I’d also recommend the User Switching plugin if you have this sort of setup.

Mozilla Persona (BrowserID) resources

For more details about Mozilla Persona (BrowserID), visit:

Once you’ve created a login, you can manage your Persona account to add additional email addresses, change your password, and more.

A secure alternative to having your own SSL / HTTPS login

WordPress has the ability to force all logins to use HTTPS, which only works if you have an SSL certificate installed (prices vary, lowest are around $10 per year per site).

The BrowserID plugin provides all of your users a secure sign in alternative even if your site doesn’t have SSL. You really shouldn’t be logging into WordPress over HTTP (i.e. non-SSL), especially with Administrator accounts. If someone snags your login details, they’ll be able to wreak havoc.

I wish…

…that everyone used HTTPS logins or used a secure alternative like BrowserID, Facebook, Twitter, or WP Engine Portal.

…and that the BrowserID plugin allowed me to pick my WordPress username instead of the associated email address (although I understand the Persona system is bigger than just being used for WordPress sites).

I think the BrowserID plugin is an excellent way to provide all of your WordPress users with a secure method of logging in.