You could say the same about any traditional username/password signup that sends a confirmation email and allows you to reply to an email to reset your password. Ultimately, that's just relying on the security of your email, too. So while you are correct that Persona doesn't solve that problem, it doesn't make that problem any worse compared to the default option of an email-confirmed username and password.
I think that's what the parent post was getting at. Originally email was just used for exchanging messages, now that most sites use it to authenticate a user there is a much higher cost to losing access/having it hacked.
Considering that it's a new protocol, why not try to solve that old problem? At the very least, they could allow you to disable email-based password reset in favor of printed code. That would be a smart thing to do.
You would get a random code or several codes you print out and put into a safe place. If you ever forgot your password, you would dig it our and supply to the website to trigger a reset (which could include or not include email-based verification). The codes would only be usable for passwords resets.
Yes, most authenticated web services offer a "forgot password" option, and their security is thus tied to your email account. However, each one of these decentralized services on its own is not as valuable as the entire ecosystem of Persona-enabled sites will be.
That is, the Persona "forgot password" is a single point of failure which, if compromised, can provide access to a whole ecosystem of sites. And it will be tied to your email account.
I'm still not seeing a distinction. Your email account is already a single point of failure for every account registered with that email that has a "forgot password" feature.
Maybe it would help if we considered two hypothetical scenarios. A: Your email is compromised, and you're registered on 15 websites with that email, each of which has a "forgot password" option. B: Your email is compromised, and you've used Persona to sign into 15 websites. In what concrete, practical way is B a more damaging situation than A?
Great point! And the recovery process is much easier in the Persona case... because you only have to fight to get back your Persona account. Today you'll have to
1) Fight to get your email account back
2) Visit each and every site and manually recover your account
