An experimental tool removes the need to hand your credentials over to lots of different websites.
The Mozilla Foundation, a nonprofit corporation that makes the Firefox browser, released an experimental tool last week that could dramatically change the way people identify themselves online.
Instead of handing your log-in credentials over to countless different websites, or to a site like Facebook or Google that then confirms your identity with other sites, Mozilla's BrowserID tool stores your identity information inside your browser. This keeps that data out of the hands of companies that could be hacked, or that may track your log-in behavior for commercial purposes.
Remembering many different passwords is hard enough, and recent attacks on Sony, Citibank, and others have shown that users' identity credentials are often poorly protected. Mozilla argues that BrowserID would be a safer and more secure way to verify identity, and would give users more privacy.
This is part of a larger effort by Mozilla to change the way identity works on the Web. Reacting to increasing use of tracking technologies, Mozilla has conceived of a suite of open standards and protocols that, taken together, would move control over personal information into the browser itself. Mozilla says this effort is fueled by 'principle over profit.' The Firefox vision statement reads: 'Users should be able to share information about themselves selectively and easily, rather than sharing a lot about themselves to receive little in return.'
Mozilla's system lets users tie one password to an e-mail account of their choice. Mozilla confirms that the address is valid by sending an e-mail to the user with a link that is used to verify ownership. Then, when a user visits a website that supports BrowserID, the site asks which e-mail he or she wants to use. Once the user enters that address, BrowserID checks to see if the user owns that e-mail address, and either verifies him or her, or does not.
A Mozilla spokesperson says, "With existing log-in protocols, the identity provider—Facebook, Twitter, Google, or other OpenID provider—is actively involved in every log-in transaction. This means the identity provider knows all of the user's log-in activity, and must be online at the time the user wishes to log in. This can create privacy and reliability issues."
Since BrowserID is experimental, it doesn't yet support all the pieces that Mozilla wants to include. For example, the company hopes to eventually work with e-mail providers. This would require companies such as Google and Yahoo integrating BrowserID into their webmail systems. That way, when a user logs into his or her e-mail, the system would automatically generate a certificate that would be stored in the browser, tying that user to the relevant e-mail address. The next time the user visited a website to sign in with BrowserID, the certificate would do most of the work.
"