The Mozilla Foundation, creators of the FireFox suite of Web tools has announced the new Identity Management system called BrowserID. According to Mozilla BrowserID wil make passwords a thing of the past and unique identification as easier as verifying your email address.
BrowserID unlike the competing OpenID allows users to use multiple IDs for different sites and removes the indentity provider out of your session, increasing the level of privacy available to uers. Mozilla spokesmen say thee are three major goals for BrowserID including:
- Decentralized - A user's authentication to a website occurs in relative isolation. No network transactions with third parties are needed, so it is efficient and privacy-protecting. Additionally, any email address may be used, and any email provider may provide first class BrowserID support for their users.
- Ownership-Based Authentication - In BrowserID, the browser manages authentication material which can be used without a password - making authentication with BrowserID more reliant on ownership factors, and less on knowledge factors.
- Usable today, and better tomorrow - An HTML5 implementation provides a functional system today, and BrowserID is designed with adoption by browser vendors in mind. Native support in browsers will afford improvements in both user experience and security.
BrowserID uses asymmetric cryptography and digital signatures to allow browsers to create signed assertions about the user's identity, and by identity providers to vouch (via signing of a key-email pair) for a user's identity in a disconnected fashion. BrowserID uses cross document messaging to communicate between documents served from different domains, which makes a usable implementation of BrowserID possible right now without modifications to existing browsers.
These features mean that BrowserID will support every platform by using a Public\Private key Pair. The ISP or identity manager retains the Public Key while the Private key is kept on the user's system. By querying this key, the web site can authenticate users without a need for maintaining passwords; a major source of security issues on the Internet at present with users choosing easily decyphered passwords. This will remove the need for complexity checks and salted passwords.
A system like this may have prevented the recent spree of hacks by the group known as Anonymous (LulzSec\Anti-Sec) by requiring the email of the user which will be unique and verifiable by simple Telnet commands.
Many projects are already underway to enable BroswerID on sites like WordPress and languages such as PHP. Mozilla promises to eable every type of alternate authenication a spossible so that sites can use oth BrowserID and traditional login methods. I feell that this is a boon for security and privacy on an Internet fraught with pitfalls. And to keep witht he Open Source nature of FireFox, the system will work with all major browserws with no changes.