BrowserID takes evolutionary step; ventures into wild

The Mozilla Foundation is inviting all email providers to adopt its BrowserID technology and begin validating their users' log-ins to Web sites that support the protocol.
Written by John Fontana, Contributor

The Mozilla Foundation Tuesday said it is taking BrowserID into the wild and invited identity providers to join up and begin validating their users' identities on the Web.

The move represents a major evolutionary step in the development of the BrowserID Primary IdP Protocol.  Today, the Foundation is the sole identity provider (IdP) for BrowserID, which means all ID validations must flow through the BrowserID.org site.

To build an authentic decentralized identity system, the Foundation needs a collection of independent IdPs to start signing up and validating user identities. Since the BrowserID authentication system is based on a user's email address, the foundation hopes email providers will join forces, including enterprises, ISPs, universities or other institutions that issue email addresses.

"So far, BrowserID has operated with scaffolding that uses the BrowserID service itself to vouch for email addresses," the Foundation wrote on its blog. "With our latest update, however, we're setting aside some of that scaffolding and allowing a fully decentralized system to emerge."

Introduced in July of last year, BrowserID has yet to gain a foothold with any email or identity providers.

"The provider API is an open API, it does not require permission or approval from Mozilla to be used," said Dan Mills, product manager for identity at Mozilla. "Any email provider can choose to support it of their own accord. That said, we are currently having conversations with a number of email providers."

The Foundation is encouraging developers to view its demo and try its test site at eyedee.me.

BrowserID is designed to replace username and password log-ins and open identity architectures that require third-party ID providers to issue credentials.

The Foundation thinks email providers represent a built-in IdP model since they have already validated their users and given them what amounts to a unique user name - their email address.

The Foundation says web sites that have already upgraded to accept BrowserID won't have to a make any changes. In addition, the authentication process for users will become simpler by eliminating the need for an email confirmation and password to be sent from the BrowserID.org validation service.

The Foundation says the registration process shrinks from eight screens to one sign-in.

Users can log-in at their email provider and then visit web sites that support BrowserID without having to repeat the log-in process. Or those users can go to the web site first, enter their email address in a log-in box before being re-directed to the email provider to enter their password.

Underneath, cryptographic keys are passed among the website, the browser and a validation service to confirm identity.

BrowserID is presented as an alternative to OpenID, which includes a community of sites that provide IDs for users (identity providers), sites that accept those IDs (relying parties), and end users.

The Foundation contends outsourcing log-ins and identity management to providers, such as Facebook and Google, saddles users with lock-in, reliability issues and data privacy worries.

The Foundation is providing code and documentation via github, and a mailing list and Twitter hashtag (#browserid) for feedback.

Editorial standards