From the director's office
I mostly blog about the Joomla! Content Management System, business networking, and other geeky subjects which I think are interesting.
An alternative to multiple usernames and passwords for websites? Mozilla suggests token free BrowserID system
Calling it BrowserID, Mozilla announced this week that an alternative way of identifying with websites was in the pipeline, and encouraged web developers to look at implementation.
What was that password again??
Like many, I frequently stare gormlessly at a website running through the various systems I use to generate usernames and passwords before I have any clue of what the credentials might be for that particular site. Frequently, it's quicker for me to admit defeat and use the password reset feature!
BrowserID sounds as if it could remove this brain-strain permenantly (hurrah!)
One email, one login
Users of BrowserID would need to set up their email address to generate the 'key' to get into the authentication system and verify their email address. Subsequently, any sites which support BrowserID login would simply require the user to click on the BrowserID button and select their registered email address from a menu.
The geeky bit
The BrowserID system proposed by Mozilla is built on top of a new 'Verified Email Protocol' which uses public-key cryptography to identify the email address of the user. Behind the scenes, the service creates a cryptographic key pair once the user confirms their email address, storing the private key with the browser and hanging onto the public key.
The user can register more than one email address (e.g. a private email for 'personal' stuff and a corporate email for 'business' stuff) and when the email is selected to allow logging into a site, the appropriate key is retrieved to verify their identity.
Isn't this just like OpenID or signing in with Facebook, Twitter, etc?
It is, and it isn't. The concept is the same (using an existing service to authenticate to a new service) however this system requires minimal input from the user, after which the login process is literally one or two clicks. The other thing to consider is that outsourcing to companies such as Facebook and Twitter your login procedure, you are relying on their systems being online and available. Also you don't have much say in what gets developed. BrowserID is open source.
What about security?
There are some security issues which haven't quite been resolved yet - one example is that a system administrator could take control of a users' email account (but this risk would be inherant for other systems too, but this becomes more of an issue if it is used alone as the authentication method without a requirement of a username/password). It would also raise email hacking attempts to a whole new level if this was used as the sole means of authenticating to websites.
Mozilla are keen for developers to get involved in testing and potentially contributing code to the BrowserID project - you can visit the project website at https://browserid.org/. Please note this system is still in its infancy and we would not recommend its use on live sites at the present time! It looks like it could have great potential if the issues are ironed out.