Persona is no longer actively developed by Mozilla. Mozilla has committed to operational and security support of the persona.org services until November 30th, 2016.
On November 30th, 2016, Mozilla will shut down the persona.org services. Persona.org and related domains will be taken offline.
If you run a website that relies on Persona, you need to implement an alternative login solution for your users before this date.
For more information, see this guide to migrating your site away from Persona:
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers
It's a good idea to allow your users to add extra email addresses to their account. This enables users to change their email addresses, and to access their account with you even if they are unable to access their primary email account.
You'll need to verify the extra address. You can do this manually, by sending an email to the new address containing a verification link, or by using Persona itself.
If you use Persona to add email addresses, then you need to be aware of a couple of things: make the context of the request clear, and update the value you pass into loggedInUser to ensure that the transaction isn't broken by Persona's session management.
Clarify the context of the request
When you request a new assertion using with either the old navigator.id.get() API or the navigator.id.request() API, Persona expects that the user is trying to sign into a website, and the user interface it displays reflects that. If you are using Persona just to get a new verified email address, your site needs to make this clear to users, so they are not confused by the Persona dialog.
Update loggedInUser
If you're using the navigator.id.get() API in the rest of your site, then you can just make a new navigator.id.get() call to get the extra email address.
But if you use navigator.id.request(), then you must also use navigator.id.request() to get the extra email address. In this case, when you have verified the assertion inside your onlogin handler, you must update the loggedInUser argument to navigator.id.watch() with the new email address.
If you don't do this, then there will be a mismatch: Persona will think the logged in user is [email protected], but your website will be telling it that the logged in user is [email protected]. In response, Persona will fire onlogin with an assertion for [email protected], which your website will probably interpret as a new user signing up.