Mozilla has released a new browser-based federated login mechanism called BrowserID that is designed to replace the login process on Web sites that requires users to supply an email and password. The experimental system relies on the Verified Email protocol and also works on other browsers, including Internet Explorer.
For users, the BrowserID system works fairly simply. In order to register with the system, a user enters an email address and password one time and then clicks on a link in a confirmation email, just as she would in a typical Web site sign-up process. Once the user has confirmed that she owns that email address, she can then use it as her mechanism to sign in to any site that supports BrowserID, simply by clicking on the BrowserID button on the site.
The system is implemented in HTTP and JavaScript on sites, and Mozilla officials say that the system is designed to respect user privacy and not leak any data back to the sites involved.
“An email address with a confirmation step is the classic method, but
it demands a user’s time and requires the user to take an extra step and
remember another password. Outsourcing login and identity management to
large providers like Facebook, Twitter, or Google is an option, but
these products also come with lock-in, reliability issues, and data
privacy concerns,” Mozilla said in its introduction of BrowserID.
“With BrowserID, there is a better way to sign in. BrowserID
implements the /verified email protocol/, which offers a streamlined
user experience. A user can prove their ownership of an email address
with fewer confirmation messages and without site-specific passwords.”
Creating and remembering passwords for the dozens of sites on which they’re registered has become a major problem for users. As a result, many people re-use passwords, weakening or eliminating whatever small modicum of security they provided to begin with. Mozilla said that the BrowserID project is in its early stages and will likely evolve over time.
