I am a technical user. I just don't want to wade through source code or watch 1 hour long videos to understand why this is supposedly secure. I can accept that not telling ID providers where users are logging in enhances their privacy (whether they care or not is debatable). However, I do not see why accounts are protected better, especially compared to different passwords for every site.
What is my identity tied to? The browser and the given e-mail address? Can anyone who has access to these fake my identity? What countermeasures can I take if that happens? A simple password change is probably out of the question. Such are the questions I'd like to be able to answer, but with the provided, easily accessible information, I cannot.
To be fair, if you want to understand why something is supposedly secure, you will have to spend some time :)
Let's see if I can help.
Your identity is tied to your ability to prove that you own an email address. You can do that by clicking a confirmation link we send you. Or, as of Beta2 (today!), you can do that by having your domain implement the Persona Identity Provider API, where your domain publishes a public-key and issues certificates to you based on that public key, which you can then use to sign into web sites. Also as of today, we do that for Yahoo users by bridging to Yahoo OpenID, so basically Persona is an OpenID client to Yahoo, gets Yahoo to vouch for your email, and based on that issues you a Persona certificate (backed by our public key) for your email address.
But whatever way you go, it's about proving you own an email address and obtaining a certificate for it.
Yes, someone who has access to your browser can fake your identity if you don't lock your browser/OS, but that's nothing new. In fact, the simple password change is how we mitigate that. As soon as you change your password, we invalidate all sessions on all devices. Certificates last only a few hours, so they'll be disabled quickly too.
What is my identity tied to? The browser and the given e-mail address? Can anyone who has access to these fake my identity? What countermeasures can I take if that happens? A simple password change is probably out of the question. Such are the questions I'd like to be able to answer, but with the provided, easily accessible information, I cannot.