Mozilla Proposes to Sign-in Only with the Email Address, No User ID or Password Required
A new authentication system, dubbed BrowserID, from Mozilla promises to solve the basic authentication needs, but its success highly depends on its adoption.
Mozilla wants to simplify the authentication process when connecting to websites by using just an email address without the need to enter an ID or a password. The new authentication solution is called BrowserID. An email address is verified only once in the beginning by the email provider or an authentication authority through the mechanism of their choice – hardware, biometric, encrypted keys, or, for example, by sending an email to the user’s inbox, the user clicks on a link, and the user is thus authenticated as the owner of the respective email address. An user can register multiple email address. Later, when performing a login into a website, the user is provided with a list of email addresses he has validated, he chooses one, and clicks the Login button. No ID and no passwords needed. And no extra authentication dialog from an OpenID provider. The BrowserID login process can be tested here.
BrowserID is based on a new protocol called Verified Email Protocol. At its core the protocol revolves around the email address ID, instead of creating new user identities. An user gets an email address from an email provider that he or she trusts, and the browser can create a pair of private-public keys if the provider supports BrowserID. The browser will keep the private key while the public one is handed over to the provider. When login into a website, the browser will present one or more email addresses that have been previously validated with one or more email providers, the user chooses one address and the browser signs an identity assertion with the corresponding private key, sending the respective assertion to the website, which in turn verifies it with the email provider by getting its public key. Of course, the website needs to trusts that provider. If the assertion is valid, the user is accepted and logged in.
There can be secondary authorities holding the public key in case the email provider does not want to implement the protocol or it is not reliable. This web page contains more details on the whole authentication process, and covering other related topics: identity assertion and key expiration, using multiple devices and synchronization, pseudonymous addresses, etc.
Roy Rapoport Aug 28, 2014