[I was at Mozilla during the development of BrowserID but I didn’t work directly on it. I was a huge fan of the effort.]
Besides non-obvious UI issues, there were fundamental issues. One in particular that was very hard to overcome:
Very few people would choose to hide which websites they are logging into from the identity provider. People don’t care whether their IDP can see when/where they are authenticating. That’s assuming they could even understand the issue at all. They have to trust the IDP a lot either way, and this one detail is small, counterintuitive, and even oxymoronic to most people—Trust the IDP 99%, but jump through hoops to avoid trusting them 100%? Why?
There is value in the identity provider knowing when, and from which device, and from which location, and on which websites you are using the identity. Hiding any of this from the IDP hurts security. It is really hard to overcome this in a useable way. A lot of purported solutions implicitly assume users have device and key management abilities that even experts in this area rarely consistently practice.
So, then, are you really better off, i.e. receiving a net positive benefit?
I believe https://portier.github.io/ was the replacement for Personas/BrowserID, any reason not to use it?
[I was at Mozilla during the development of BrowserID but I didn’t work directly on it. I was a huge fan of the effort.]
Besides non-obvious UI issues, there were fundamental issues. One in particular that was very hard to overcome:
Very few people would choose to hide which websites they are logging into from the identity provider. People don’t care whether their IDP can see when/where they are authenticating. That’s assuming they could even understand the issue at all. They have to trust the IDP a lot either way, and this one detail is small, counterintuitive, and even oxymoronic to most people—Trust the IDP 99%, but jump through hoops to avoid trusting them 100%? Why?
There is value in the identity provider knowing when, and from which device, and from which location, and on which websites you are using the identity. Hiding any of this from the IDP hurts security. It is really hard to overcome this in a useable way. A lot of purported solutions implicitly assume users have device and key management abilities that even experts in this area rarely consistently practice.
So, then, are you really better off, i.e. receiving a net positive benefit?
"BrowserID failed in 2016, but WKID won't"
"And the big providers (gmail.com, outlook.com, yahoo.com, icloud.com) will never be supported."
You've changed the definition of "success" here. Why not just launch using Persona rather than RYO? What benefits do you provide over it?