Can someone explain the security implications of Persona? In what ways is it more or less secure than other authentication mechanisms (username/password, two factor auth, etc)? Thanks!
Persona is basically just public-key cryptography, but with a nice interface on top.
What you're really doing when you sign in to your identity provider is getting a certificate, signed by them, and containing a serialized public key (from a keypair generated and stored in your browser).
What you're really doing when "signing in" to a Persona-enabled site is sending them the certificate and a signed assertion, and letting them check all the signatures (public key in the certificate verifies the signature on the assertion, and the provider's public key is obtained to verify the signature on the certificate).
The only entity involved in this who needs to get a password from you is the identity provider, and password auth isn't required for that; it's just an easy and common way to do it. Sites you log into using Persona never ask for, see, or store a password for you.
The certificates are transient (they expire within 24 hours). The assertions generated by your browser are transient (they expire within 5 minutes). The keypairs generated and stored by your browser can be transient (you don't need to use the same keypair each time you sign in to your identity provider), and are tied to a specific email address and browser instance.
The whole thing is also designed to be decentralized. For most people, for now, Mozilla is the identity provider, but you can run your own (relatively easy) or use a trusted third-party provider. All that matters in a provider is that it speaks the protocol.
This means that comparing Persona to "password authentication" or "two-factor auth" is not really a useful question; your provider can use any mechanism you both agree on to verify you and give you a certificate. Though the immediate big win is, of course, that if there's a password involved, only the provider ever handles it, so you don't have to worry about a bunch of sites' password-storage practices, and you may not even have to worry about your provider's (if your provider doesn't use passwords to verify you).
The provider also doesn't know what sites you're signing in to with Persona; they don't receive the assertion from the site you sign into, they just provide a copy of their public key so the site can complete verification.
You don't hand your password to anyone but your email provider - and they can implement two-factor authentication (or anything else they like) - as GMail have done, for instance.
Which means that 99% of sites don't need to worry about security for passwords, and you don't need to worry that your password has been stolen by hackers and now they're trying that same password on every site you might have ever used.
It's also decentralised, so there's no tracking of what sites you've logged in to. (Or, at least, it will be, once email providers implement IDPs themselves rather than using the Mozilla fallback). And the way the certification works, the IDP has no idea what sites you're signing into, so you're safe from that too.
