Author Topic: BrowserID - Mozilla's solution to the password problem (Read 22719 times)

Lashiec · « **on:** July 15, 2011, 04:52 PM »

The guys at the Mozilla Foundation unveiled today a clever solution to the problem posed by maintaining several different accounts for all the Internet services the average Internet user handles daily. The solution is called BrowserID, and it combines your e-mail address and browser client to identify yourself in the Internet, effectively eliminating the need to juggle several different identities and all the passwords associated to them. This is an idea that Mozilla has been working on for a few years, but only now we're able to see the first results yielded by the research.

While it certainly improves usability, specially for those less technically inclined, there are potential security concerns that Mozilla isn't clearing at the moment. For starters, this method would transform your e-mail account into the sole point of failure, which if compromised, could jeopardize your entire digital identity.

More information, including an interactive demonstration, is available at the link above. Documentation and technical details are on a separate blog post.

via Slashdot

cyberdiva · « **Reply #1 on:** July 15, 2011, 06:41 PM »

I'm somewhat confused. Does BrowserID assume that I always use the same browser? Or the same computer? I also use a variety of email addresses. I'm not eager to have these addresses brought together by BrowserID. Nor do I want to be identified by my email address rather than by a username I choose. I realize that BrowserID is in an early stage, but from what I've seen I wouldn't dream of using it.

In addition to the privacy concerns I've raised, I'm also in agreement with Lashiec's point about the security risk of having one's email account as the sole point of failure.

40hz · « **Reply #2 on:** July 15, 2011, 06:49 PM »

Strikes me as somewhat akin to bringing in Manchu scorpions to get rid of ants.

wraith808 · « **Reply #3 on:** July 15, 2011, 06:53 PM »

Personally, I like the idea of OpenID. I just wish more sites would support it. $:-\$

Lashiec · « **Reply #4 on:** July 15, 2011, 07:30 PM »

I'm somewhat confused. Does BrowserID assume that I always use the same browser? Or the same computer? I also use a variety of email addresses. I'm not eager to have these addresses brought together by BrowserID. Nor do I want to be identified by my email address rather than by a username I choose. I realize that BrowserID is in an early stage, but from what I've seen I wouldn't dream of using it.
-cyberdiva (July 15, 2011, 06:41 PM)

Well, no. As I understand, you can use as many browsers and devices as you like, as long as they're linked to any e-mail address you use with any given Internet service, and has been previously authorized by you. BrowserID is just a proof of concept, the functionality outlined by the proposal would be integrated into Firefox and other browsers, so the application is the one handling the e-mail addresses, not an external web service. As for being identified by an username, one way or another you're also identified by a e-mail address (i.e., when you activate your account), and usernames are probably not going away, since they're a convenient way of differentiating users of the same service.

In addition to the privacy concerns I've raised, I'm also in agreement with Lashiec's point about the security risk of having one's email account as the sole point of failure.

I pondered over this for a while, and I realized the same problem exists with the current identification system, as darkskiez points at lloyd.io. Of course, the attacker would have to find out which Internet services do you use in order to take over your identity, but he would at least take hold off your account in the most popular ones. That's why it's important to have other measures of protection in place, like double factor identification systems and various e-mail accounts with strong passwords to recover any stolen one.

Another potential security problem is the apparent lack of a way to deauthorize a browser or device, which means if someone steals your laptop or phone, you're in deep trouble. Again, that's something it could be alleviated by the use of a secondary identification method.

In any case, this would be an alternative identification method, there's no reason why sites can't keep the good 'ol username + password system. And it's a better privacy proposition than Facebook Connect, that's for sure.

cyberdiva · « **Reply #5 on:** July 15, 2011, 10:02 PM »

As I understand, you can use as many browsers and devices as you like, as long as they're linked to any e-mail address you use with any given Internet service, and has been previously authorized by you. BrowserID is just a proof of concept, the functionality outlined by the proposal would be integrated into Firefox and other browsers, so the application is the one handling the e-mail addresses, not an external web service.
-Lashiec (July 15, 2011, 07:30 PM)

Well, what happens if I'm at a friend's house and want to use her computer, or I'm at an Internet cafe? And what happens when I move from, say, Firefox 5 to Firefox 6? Will I have to re-establish all the browsers each time there's a new version in the same way that I've had to upgrade many of my extensions?

There's simply nothing about BrowserID that appeals to me, and a lot that does not.

Lashiec · « **Reply #6 on:** July 16, 2011, 06:21 AM »

Well, what happens if I'm at a friend's house and want to use her computer, or I'm at an Internet cafe?
-cyberdiva (July 15, 2011, 10:02 PM)

Yep, that's another problem without a clear solution. I guess you could grant a temporary authorization to your friend's browser, but it's a bit cumbersome anyway.

And what happens when I move from, say, Firefox 5 to Firefox 6? Will I have to re-establish all the browsers each time there's a new version in the same way that I've had to upgrade many of my extensions?

Nothing. The same way Firefox preserves your history, bookmarks or saved passwords, it will also preserve the file that deems the browser as authorized. On a clean installation, you can move that file to the new profile.

wraith808 · « **Reply #7 on:** July 16, 2011, 07:12 AM »

What is the advantage of BrowserID over OpenID?

Ath · « **Reply #8 on:** July 16, 2011, 07:13 AM »

What it this better then, say, a hotmail account, or OpenID? and adding an extra annoyance of having to verify the current browser as being allowed to access the service credentials.

Sounds like a solution looking for a problem

Lashiec · « **Reply #9 on:** July 16, 2011, 07:41 AM »

What is the advantage of BrowserID over OpenID?
-wraith808 (July 16, 2011, 07:12 AM)

OpenID has been criticized in the past for its failure in solving certain security as well as privacy problems. For example, your OpenID provider tracks your activity every time you use its identity to log in any site. Supposedly, BrowserID solves this, but this is a new standard that has not been subjected to a thorough analysis, so the advantages may be a moot point.

cyberdiva · « **Reply #10 on:** July 16, 2011, 09:10 AM »

The same way Firefox preserves your history, bookmarks or saved passwords, it will also preserve the file that deems the browser as authorized. On a clean installation, you can move that file to the new profile.
-Lashiec (July 16, 2011, 06:21 AM)

I don't store bookmarks or passwords on any browser, so I'm less familiar with how well Firefox manages this. (I have a password manager and a bookmark manager that work with all my computers.) Be that as it may, since I currently use several computers and several browsers on each computer, having to make and keep each one validated for BrowserID sounds like more trouble than it's worth. At least for me.

Lashiec · « **Reply #11 on:** July 16, 2011, 09:44 AM »

In addition to that, I expect Firefox Sync will backup the file to the cloud, so it will be synchronized across all your computers. And whenever other browsers adopt the system, their sync systems will do the same.

worstje · « **Reply #12 on:** July 16, 2011, 09:57 AM »

Anything that makes it too easy to store and use my passwords with some service, I do not use. I use Keepass v2 right now and it works just great. Sure, it is a huge bother to stick the thing into my PC, and to type my master key... but it feels way more secure.

I have (some) control over my USB stick being stolen. I have the same control over where I plug it in, and what PCs I trust not to have keyloggers or other malware installed. However, I do not have control over the Cloud and their leaks and the big targets they make for 'hackers'. I feel similarly over biometric security: fingerpad scanners are technically very unsound, and matches are easy to create (for anyone with a bit of determination) so they can get access to whatever they want.

So yeah, I'm not trusting something as fickle as a browser that needs upgrading every week to protect my data. They are more interested in version numbers than a stable product, which speaks volumes by my book.

mahesh2k · « **Reply #13 on:** July 16, 2011, 11:48 AM »

Flaw : Even if we use 'Do not Track' feature then using BrowserID will make geo-targeting/cookie behavior for ad networks simple. They don't even need IP of the computer because it is like SSN no matter where person moves he/she is identifiable for the advertising+browsing behavior based on browserID.

I don't know if browserID expects personal information name/age/gender in their profiles or account but if they do then chances are there that the flaw which i mentioned is going to pop up in future.

justice · « **Reply #14 on:** July 17, 2011, 06:26 AM »

Flaw : Even if we use 'Do not Track' feature then using BrowserID will make geo-targeting/cookie behavior for ad networks simple. They don't even need IP of the computer because it is like SSN no matter where person moves he/she is identifiable for the advertising+browsing behavior based on browserID. I don't know if browserID expects personal information name/age/gender in their profiles or account but if they do then chances are there that the flaw which i mentioned is going to pop up in future.
-mahesh2k (July 16, 2011, 11:48 AM)

Not any simpler than the alternative where you sign in to the service after setting do not track.

BrowserID protects the privacy of your Web activity
With BrowserID, by design, your identity providers are not involved in the login transaction. This means they need not be aware of your entire Web activity, a significant privacy advantage. With OpenID, your identity provider is, unfortunately, a necessary participant in the login flow.

justice · « **Reply #15 on:** July 17, 2011, 06:47 AM »

There's real confusion about BrowserID. The website popup is a stopgap. Browser vendors and email providers will implement a key exchange system so that sites can ask the email provider if the person using the browser is a certain identity. With browser and email provider support, all you need to do once it is setup is click the sign in button and cryptographically things get checked and you get logged in. This will be a password replacement that is more secure than the current systems, easier to use than openid, and not any more privacy threathening then any login system. at the moment the BrowserID popup is an stopgap.

If you want to read common misconceptions check this thread:
http://news.ycombina....com/item?id=2764824

How browserid differs from openid:
http://identity.mozi...-differs-from-openid

How browserid works from a technical perspective:
http://lloyd.io/how-browserid-works

wraith808 · « **Reply #16 on:** July 17, 2011, 01:33 PM »

What is the advantage of BrowserID over OpenID?
-wraith808 (July 16, 2011, 07:12 AM)

OpenID has been criticized in the past for its failure in solving certain security as well as privacy problems. For example, your OpenID provider tracks your activity every time you use its identity to log in any site. Supposedly, BrowserID solves this, but this is a new standard that has not been subjected to a thorough analysis, so the advantages may be a moot point.
-Lashiec (July 16, 2011, 07:41 AM)

If you're concerned about that, you can easily set yourself up to be your own provider.

And reading that differences between the two, I actually don't like any of their talking points. I don't *want* my information, even my e-mail, associated with my login. I want the login dialog to come from my domain, rather than some other location I don't control. And as my own provider, I don't have to worry about the tracking part.

Deozaan · « **Reply #17 on:** January 03, 2014, 07:10 PM »

NECRO THREAD REVIVAL!

Well, it's been a couple of years since BrowserID was first introduced. But I stumbled across this thread again today while looking for information about OpenID and looked into BrowserID. Apparently it's now called Persona.

More technical details about it can be found here: https://developer.mo...la.org/en-US/Persona

Any new opinions on the matter since this was originally discussed 2.5 years ago?

TaoPhoenix · « **Reply #18 on:** January 03, 2014, 08:14 PM »

Well, it's been a couple of years since BrowserID was first introduced. But I stumbled across this thread again today while looking for information about OpenID and looked into BrowserID. Apparently it's now called Persona.

More technical details about it can be found here: https://developer.mo...la.org/en-US/Persona

Any new opinions on the matter since this was originally discussed 2.5 years ago?
-Deozaan (January 03, 2014, 07:10 PM)

Well, for me it at least some FF add-ons cause interference. (I don't know which ones; I blanket turned them all off and got it to work.)

Meanwhile, it doesn't seem to be supported anywhere, so it's like a "toy" that I can't even try out.

But overall trying to tie all authentication into the browser feels just a little fishy somehow.

I also don't know what it means that some sites are using the email address AS the ID!

Deozaan · « **Reply #19 on:** January 07, 2014, 12:02 AM »

I tried it out and found that you can link multiple email addresses to the same Persona. And then you can login to sites using any one of those addresses you want. So you still don't necessarily have to give out your primary address to login. I think I'd like it a lot more if it was more widely used. But like you said, it's used virtually nowhere, so it's kind of worthless. )c:

J-Mac · « **Reply #20 on:** January 07, 2014, 01:03 AM »

And to be honest, OpenID isn't much better currently with regard to the number of sites using it, unfortunately. I like OpenID but I don’t get many chances to use it.

Jim

wraith808 · « **Reply #21 on:** January 07, 2014, 08:19 AM »

And to be honest, OpenID isn't much better currently with regard to the number of sites using it, unfortunately. I like OpenID but I don’t get many chances to use it.

Jim
-J-Mac (January 07, 2014, 01:03 AM)

Bare openid seems to be going away. I've had to change mine on every site that I formerly used it on. Finally gave up and started using Google as my provider. *sigh*

40hz · « **Reply #22 on:** January 07, 2014, 09:18 AM »

To make something like this work and be accepted, you either need a great deal of financial or moral clout behind you. Mozilla has neither.

And, as was noted, the way it works can be considered a stopgap at best.

Can the next contestant please step up?

superboyac · « **Reply #23 on:** January 07, 2014, 09:23 AM »

Wouldn't web id's and stuff eventually evolve like mailing addresses did? I don't know the history, but I imagine when mailing addresses first were formalized, a similar thing occurred with privacy and such, no?

Tuxman · « **Reply #24 on:** January 07, 2014, 10:16 AM »

I like OpenID but I don’t get many chances to use it.
-J-Mac (January 07, 2014, 01:03 AM)

Large tech sites mostly allow a sign-in by OpenID, some board systems added that... well.