BrowserID testing waters, but missing pieces weaken story

BrowserID testing waters, but missing pieces weaken story

Summary: The Mozilla Foundation is finally testing its BrowserID authentication system, but a missing part of the architecture used to validate a user's credentials is a big gap the Foundation must address.

SHARE:

Six months after introducing open source browser-based user authentication, Mozilla Foundation is finally testing it across five of its sites.

Introduced in July last year, BrowserID is an authentication system based on a user's email address and designed to replace username and password log-ins and identity architectures that require third-party ID providers to issue credentials.

While Mozilla claims BrowserID offers a simpler way to validate users, currently it has a couple of big gaps to close: enticing email provider participants, or identity authorities, who would validate email addresses as part of the authentication process; and adding multi-language support.

BrowserID uses the Verified Email Protocol (VEP) that Mozilla developed. VEP uses public key cryptography to prove that a particular user owns their unique email address.

VEP does not require the email provider to support BrowserID, but the Foundation says their support "provides a better experience and more control."

Without support of email providers, the Foundation is the sole "Secondary Identity Authority," which is a validation service that holds user account details. The Foundation runs a Secondary Identity Authority at BrowserID.org.

Such a single authority set-up is reminiscent of Microsoft's failed Passport identification system in the late 90s, which essentially made Microsoft the gatekeeper of user identity information for the Web.

Identity management experts have been watching BrowserID's development. Critics contend that the lack of email providers supporting BrowserID weakens its usefulness.

"It is a big bottleneck with a single ID provider who may or may not be secure and trustworthy," said Dave Kearns, an analyst with KuppingerCole. "The potential was there for OpenID and InfoCard too, but without any relying parties, BrowserID does not do you a whole lot of good."

BrowserID logs a user into a Website by presenting that user a menu of the email addresses they could use to sign in. Underneath, cryptographic keys are passed among the website, the browser and a verification service to validate identity.

It is the verification step that is missing a critical mass of participants.

BrowserID has been presented as an alternative to OpenID, which requires a community of sites that provide IDs for users (identity providers), sites that accept those IDs (relying parties), and end users.

The Foundation contends outsourcing log-ins and identity management to providers such as Facebook and Google, saddles users with lock-in, reliability issues and data privacy worries.

The Mozilla Foundation said the deployment at its various sites is a way to test BrowserID in a demanding global environment. The Foundation admits, however, that its deployment is limited in scope because BrowserID is not yet localized and is English-only.

Do you think you will give BrowserID a try? Is it a better alternative than OpenID? Why or why not?

Topics: Security, Browser, Collaboration

About

John Fontana is a journalist focusing in identity, privacy and security issues. Currently, he is the Identity Evangelist for cloud identity security vendor Ping Identity, where he blogs about relevant issues related to digital identity.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion