Sunday, July 17, 2011

Mozilla's BrowserID to eliminate passwords, substitute email addresses

The weakest link in the user authentication scheme is the end user, and their inability to remember complex, secure passwords. In general, what they can remember, however, is their email address, and that's where a new authentication scheme developed by Mozilla comes in: BrowserID.

girl_160x600_tryThe first time you use it, BrowserID works as follows: you click a sign-in button at a BrowserID-enabled site, after which you are redirected to the BrowserID site. There, you sign up for an account by entering your email address and a new master password. You then get a verification email, and click on the verification link.

From that point on, clicking a sign-in icon at any BrowserID-compliant site allows the user to login using his or her verified email address, simply by selecting the address from a menu. That's also the answer to logging in if you want to have multiple identities: you can login using more than one email address by verifying multiple addresses.

You can run through a demo of the process, provided by Mozilla, at; a video tutorial is below.

Think of it as Facebook Connect without the Facebook. However, there are plenty of questions to be answered. While the technology is not Firefox-specific (nice of Mozilla), there's the question of whether or not email providers will see a good reason to "sign on" to a new authentication scheme.

Additionally, how would it work if, say, your spouse  to be able to login to a joint bank account?    How will BrowserID work in that case?  With traditional username / password scenarios you just share them, but in this case ... ?

And even though it works just fine with Gmail (we tried it, and with multiple accounts), until there are more sites using it, it's mostly just a curiousity.

There's also a problem in that if your email accounts are compromised, so could be your BrowserID account. Of course, the way things work nowadays, most people use the same passwords over and over again, thus meaning that if someone found out the password of your email account, for many people they have the password of every other account, as well.

In other words, losing control of your email address is without BrowserID is, for many folks, just as bad as it might be using BrowserID.

No comments: