A new authentication system, dubbed BrowserID, from Mozilla promises to solve the basic authentication needs, but its success highly depends on its adoption.
Mozilla wants to simplify the authentication process when connecting to websites by using just an email address without the need to enter an ID or a password. The new authentication solution is called BrowserID. An email address is verified only once in the beginning by the email provider or an authentication authority through the mechanism of their choice – hardware, biometric, encrypted keys, or, for example, by sending an email to the user’s inbox, the user clicks on a link, and the user is thus authenticated as the owner of the respective email address. An user can register multiple email address. Later, when performing a login into a website, the user is provided with a list of email addresses he has validated, he chooses one, and clicks the Login button. No ID and no passwords needed. And no extra authentication dialog from an OpenID provider. The BrowserID login process can be tested here.
BrowserID is based on a new protocol called Verified Email Protocol. At its core the protocol revolves around the email address ID, instead of creating new user identities. An user gets an email address from an email provider that he or she trusts, and the browser can create a pair of private-public keys if the provider supports BrowserID. The browser will keep the private key while the public one is handed over to the provider. When login into a website, the browser will present one or more email addresses that have been previously validated with one or more email providers, the user chooses one address and the browser signs an identity assertion with the corresponding private key, sending the respective assertion to the website, which in turn verifies it with the email provider by getting its public key. Of course, the website needs to trusts that provider. If the assertion is valid, the user is accepted and logged in.
There can be secondary authorities holding the public key in case the email provider does not want to implement the protocol or it is not reliable. This web page contains more details on the whole authentication process, and covering other related topics: identity assertion and key expiration, using multiple devices and synchronization, pseudonymous addresses, etc.
Dan Mills from Mozilla Labs says that BrowserID is better than other sign-in systems because it “does not leak information back to any server (not even to the BrowserID servers) about which sites a user visits.” Also, it can be used with any modern browser including mobile ones. Current implementations are done with HTML and JavaScript, but “the system is designed to seamlessly integrate into future browsers”. While developers have little work to do to implement BrowserID for a website, the project hangs on large scale adoption by email or secondary authority providers. BrowserID is currently an experimental project, and its success depends on how the web, especially big players, are going to react to Mozilla’s proposal. BrowserID might turn out to be a simple solution to the complex authentication problem, especially since OpenID seems to have some problems at this moment.