About three weeks after releasing Firefox 5, Mozilla has rolled out a decentralized identity system called BrowserID that utilizes email addresses instead of usernames and passwords for identity authentication to grant access to secure Web sites and online services.
The system is based on a variant of the Verified Email Protocol, which is "a way for a user to prove to a website that they control an email address, through the web browser," according to VEP developer Mike Hanson.
Once a user has set up a BrowserID (a demo experience of this process is provided by Mozilla at Myfavoritebeer.org and a video tutorial is posted below), there's no more need to verify one's identify with per-site passwords when visiting Web sites or signing in to services that support the identification protocol.
The process is secure, according to Mozilla, because "sites get proof of ownership using public key cryptography." And Mozilla has its own verification service, "so you can get started without writing a single line of crypto code."
BrowserID is also browser-neutral, meaning it works not just with Firefox, but "on all modern browsers." Mozilla specifically identifies "recent versions" of Microsoft's Internet Explorer as compatible with BrowserID, as well as unnamed "mobile browsers."
So how does it work and how secure is it really?
Lloyd Hilaiel has written a technical primer on BrowserID, in which he identifies key design features that make it easy for users to grasp, more secure for users because it doesn't allow for weak passwords or easily socially engineerable ones, and better at protecting users' privacy than other authentication systems.
The first nice thing about BrowserID is that it makes a user's email address their identity, which is a natural fit because "[u]sers identify with emails quite naturally, and no new infrastructure is needed to reliably verify ownership of them."
Another benefit for users of BrowserID is that logging-in to secure sites has a one-click, streamlined feel to it that's consistent across all the sites utilizing the protocol.
Next, by design, BrowserID doesn't involve identify providers in the login transaction. That means third parties don't need to be made aware of a BrowserID owner's outside Web activity, "a significant privacy advantage," according to Hilaiel.
Finally, BrowserID utilizes ownership-based authentication, meaning that the browser manages authentication material in such a way that is less reliant than other systems on "knowledge factors"—like a user's birthday or other typical personal information people use for passwords, which can be sniffed out by potential identity thieves.
So what's not to like about BrowserID? Probably the fact that it pretty much only works on Myfavoritebeer.org and a few early adopting Web sites so far. Until the protocol gains a bigger footprint across lots of popular Web destinations, it's just another identity verification process to go through without a lot of return for your time.
Mozilla, unsurprisingly, is strongly encouraging developers to add BrowserID functionality to their sites.
0 komentar:
Post a Comment