Forget Passwords and Let the Browser Remember
An experimental tool removes the need to hand your credentials over to lots of different websites.
The Mozilla Foundation, a nonprofit corporation that makes the Firefox browser, released an experimental tool last week that could dramatically change the way people identify themselves online.
Instead of handing your log-in credentials over to countless different websites, or to a site like Facebook or Google that then confirms your identity with other sites, Mozilla’s BrowserID tool stores your identity information inside your browser. This keeps that data out of the hands of companies that could be hacked, or that may track your log-in behavior for commercial purposes.
Remembering many different passwords is hard enough, and recent attacks on Sony, Citibank, and others have shown that users’ identity credentials are often poorly protected. Mozilla argues that BrowserID would be a safer and more secure way to verify identity, and would give users more privacy.
This is part of a larger effort by Mozilla to change the way identity works on the Web. Reacting to increasing use of tracking technologies, Mozilla has conceived of a suite of open standards and protocols that, taken together, would move control over personal information into the browser itself. Mozilla says this effort is fueled by “principle over profit.” The Firefox vision statement reads: “Users should be able to share information about themselves selectively and easily, rather than sharing a lot about themselves to receive little in return.”
Mozilla’s system lets users tie one password to an e-mail account of their choice. Mozilla confirms that the address is valid by sending an e-mail to the user with a link that is used to verify ownership. Then, when a user visits a website that supports BrowserID, the site asks which e-mail he or she wants to use. Once the user enters that address, BrowserID checks to see if the user owns that e-mail address, and either verifies him or her, or does not.
“With existing log-in protocols, the identity provider—Facebook, Twitter, Google, or other OpenID provider—is actively involved in every log-in transaction,” says a prepared statement from Mozilla. “This means the identity provider knows all of the user’s log-in activity, and must be online at the time the user wishes to log in. This can create privacy and reliability issues.”
Since BrowserID is experimental, it doesn’t yet support all the pieces that Mozilla wants to include. For example, the company hopes to eventually work with e-mail providers. This would require companies such as Google and Yahoo to integrate BrowserID into their webmail systems. That way, when a user logged into his or her e-mail, the system would automatically generate a certificate that would be stored in the browser, tying that user to the relevant e-mail address. The next time the user visited a website to sign in with BrowserID, the certificate would do most of the work.
The Mozilla statement notes that having e-mail providers vouch for a user’s identity, and storing the necessary certificate in the browser for any site to check, “is the key to making BrowserID decentralized.”
No information is being passed to other parties beyond what’s necessary, and the user doesn’t have to rely on a third-party website. Mozilla points out that if users rely on one particular social network to log in to many different sites, switching to another social network becomes problematic.
For BrowserID to take off, websites will have to adopt it. Mozilla has provided code that websites can drop in if they want to use BrowserID. Mozilla also provides a free verification service that checks certificates and handles verification e-mails. Websites could also choose to run their own verification servers.
“I think ID should eventually be baked into the browser,” as Mozilla is doing, says Terrell Russell, cofounder of an online identity-management system called ClaimID. “I think it should come with controls for anonymity, of course, but it is the right place for identity information to be managed.”
Russell expects people to begin moving away from identity providers such as Facebook Connect, especially as they grow more concerned about how Web companies are using their private information.
Mozilla is trying to give people the same benefits, Russell says, but BrowserID is “something people can control and understand a little better.” This is because users can delete information from their own browsers easily, but they cannot necessarily track or delete information held by third-party providers.
Keep up with the latest in security at EmTech MIT.
Discover where tech, business, and culture converge.
September 11-14, 2018
MIT Media Lab