I think Persona is great and can be the right choice for many scenarios. Browser support, the JS requirement, and the reliance on email (whereas tokens can e.g. be distributed via text message) might however be points that convince developers to go with one-time passwords.
Persona is just a protocol though, it's implicitly supported by all browsers. Though in-browser auth (which is the ideal case) is only in Firefox so far...
> JS requirement
Granted. Though theoretically, you don't need javascript.
> reliance on email
Granted again, but this is a completely acceptable tradeoff for 99% of services which will require an email and usually even use it as the user's identification.
Still not sold, but I'll keep your solution in mind. Thanks for alternatives! :)
