Mozilla tackles single sign-on with BrowserID


Mozilla late yesterday launched a new experimental project, called BrowserID, to make it easier for users and developers to handle the sign-in process for websites.

The project uses existing email addresses to replace the login and password details for all of the sites a user may want to log into, such as Facebook, Google or Twitter.

Described by its development team as a "snazzy passphraseless login flow," the project uses a new Verified Email Protocol' from Mozilla that is based on public key cryptography.

Dan Mills, Mozilla Labs engineer, said in a blog posting that the open source protocol enables the project to offer this new approach to universal login.

"Sites get proof of ownership using public key cryptography," he wrote.

"But don't worry, we have a verification service so you can get started without writing a single line of crypto code."

When a user logs into a website BrowserID intercepts the request, allowing them to choose any one of the email addresses they must have already registered with the service in order to authenticate their login.

The one-time verification of email addresses when a user first registers with BrowserID allows the service to use crypto keys in order to vouch for the user's ownership of them, so the website that the user is signing into does not need to.

The success of the service will be largely reliant on getting email service providers to get involved. In return, they will be able to access the data collected on the sites that users log into using BrowserID.

But Mozilla said this would still be a more secure method of password management, as the data will only reside on BrowserID servers.

While single sign-on systems like OpenID have been around for some time now, Mozilla said BrowserID offered a better alternative to identity token-based protocols because its keys worked with the authentication service already provided with email accessed via the web.

In the wiki documentation describing the Verified Email Protocol, Mozilla stated: "A number of web-scale identity proposals start by creating a new identity token for example a user ID or personal URL and go on to describe how to use that token to authenticate the user."

By using existing email addresses, Mozilla claims its system eliminates the need to register an identity token every time the user wants to log into a new website. It said this would make it easier for users and developers to adopt.

And the prototype uses JavaScript and HTML to enable its use on the latest web and mobile browsers.

The company has launched a new website to host links to the BrowserID source code and specifications, designed to encourage end users and website owners to get involved.

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.