Mozilla's BrowserID aims to simplify authentication on the Web

BrowserID logoMozilla aims to simplify account registration and authentication on the Web with a new technology called BrowserID. It is a decentralized authentication system allows the Web browser to manage the user's identity.

The system relies on asymmetric keys and ties the user's identity to their e-mail address rather than conventional usernames and passwords. The browser handles the authentication process for the user, enabling relatively secure single-click logins on websites that support the scheme.

The login flow is relatively straightforward. The user navigates to the website of their identity authority provider and logs in conventionally. The authority provider website calls a browser JavaScript API that generates a key pair. The browser sends the public key to the identity provider and gets back a signed identity certificate. The browser will then store the private key and certificate in its secure keyring.

When a website wants a user's identity, it calls a JavaScript function that will cause the browser to initiate the authentication process. The browser will prompt the user to determine which identity to use and whether to log in at all. If the user agrees, the browser will send the requesting website an identity certificate signed with the user's private key. The website then obtains the user's public key from the identity provider and uses it verify the authenticity of the provided identity information.

The authentication process is largely transparent to the end user. All you will have to do is click a user interface element in the browser to approve the login. BrowserID conceptually similar to OpenID in a lot of ways, but without the usability problems and some of the other pain points.

Of course, the authentication process described above makes several assumptions: the user's browser implements the relevant JavaScript APIs, the website that the user wants to sign into supports the service and handles the verification step on its own, and the user's e-mail host serves as an identity provider. That's obviously the ideal scenario, but the protocol supports some other variations on the authentication process that will simplify a few of the challenges.

If the user's e-mail host doesn't act as an identity authority, it's possible to use a trusted secondary identity authority that does the job. In the absence of native BrowserID support in the user's Web browser, it's also possible to use an implementation hosted on a website. It's also worth noting that the actual process of verifying the identity can be performed by a trusted third-party, thus vastly reducing the amount of effort involved for Web application developers to support BrowserID logins.

Mozilla has set up a website called that supplies these services. This will make it possible to start testing and implementing BrowserID right away without having to wait for adoption by e-mail providers and other browser vendors.

The concept is pretty good, but there are still some unanswered questions. It's unclear if major e-mail hosts and browser vendors are going to be interested in supporting the system. The specifications are still being finalized, so the effort to encourage adoption is obviously still at a very early stage. It's also not entirely clear yet what steps e-mail hosts will have to take to support BrowserID. It's generally understood that they will have to host public keys and make them accesible in a standardized way, but how exactly that will work hasn't been specified yet.

Another question is how BrowserID authentication will be handled in native desktop and mobile client applications outside of the Web browser. Individual applications may need to operate as BrowserID user agents and have their own internal implementation of the protocol. The application would provide an embedded browser window in which the user would log into their identity authority account so that the app can get the keys.

That will get really complicated and sort of ugly, but the problem could eventually be solved better by having the underlying operating system itself implement BrowserID and store the keys in a central keyring. There could be platform-level APIs for developers that allow a third-party client application to log into Web services with identities from the system keyring. The process could be mediated by the operating system so that the user has the opportunity to select an account or deny the login. The mobile platform vendors could probably do it without much trouble, but it will likely take more time for this to be supported on the desktop.

You can get more information about the protocol by visiting or Mozilla's new identity website.

Source: Ars Technica

Tags: browsers, Mozilla

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (15)