Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The Mozilla Foundation, a nonprofit corporation that makes the Firefox browser, released an experimental tool last week that could dramatically change the way people identify themselves online.

Instead of handing your log-in credentials over to countless different websites, or to a site like Facebook or Google that then confirms your identity with other sites, Mozilla’s BrowserID tool stores your identity information inside your browser. This keeps that data out of the hands of companies that could be hacked, or that may track your log-in behavior for commercial purposes.

Remembering many different passwords is hard enough, and recent attacks on Sony, Citibank, and others have shown that users’ identity credentials are often poorly protected. Mozilla argues that BrowserID would be a safer and more secure way to verify identity, and would give users more privacy.

This is part of a larger effort by Mozilla to change the way identity works on the Web. Reacting to increasing use of tracking technologies, Mozilla has conceived of a suite of open standards and protocols that, taken together, would move control over personal information into the browser itself. Mozilla says this effort is fueled by “principle over profit.” The Firefox vision statement reads: “Users should be able to share information about themselves selectively and easily, rather than sharing a lot about themselves to receive little in return.”

Mozilla’s system lets users tie one password to an e-mail account of their choice. Mozilla confirms that the address is valid by sending an e-mail to the user with a link that is used to verify ownership. Then, when a user visits a website that supports BrowserID, the site asks which e-mail he or she wants to use. Once the user enters that address, BrowserID checks to see if the user owns that e-mail address, and either verifies him or her, or does not.

“With existing log-in protocols, the identity provider—Facebook, Twitter, Google, or other OpenID provider—is actively involved in every log-in transaction,” says a prepared statement from Mozilla. “This means the identity provider knows all of the user’s log-in activity, and must be online at the time the user wishes to log in. This can create privacy and reliability issues.”

Since BrowserID is experimental, it doesn’t yet support all the pieces that Mozilla wants to include. For example, the company hopes to eventually work with e-mail providers. This would require companies such as Google and Yahoo to integrate BrowserID into their webmail systems. That way, when a user logged into his or her e-mail, the system would automatically generate a certificate that would be stored in the browser, tying that user to the relevant e-mail address. The next time the user visited a website to sign in with BrowserID, the certificate would do most of the work. 

6 comments. Share your thoughts »

Credit: Mozilla

Tagged: Web, security, privacy, Web 2.0, browsers, identity

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me