I'm somewhat confused. Does BrowserID assume that I always use the same browser? Or the same computer? I also use a variety of email addresses. I'm not eager to have these addresses brought together by BrowserID. Nor do I want to be identified by my email address rather than by a username I choose. I realize that BrowserID is in an early stage, but from what I've seen I wouldn't dream of using it.
Well, no. As I understand, you can use as many browsers and devices as you like, as long as they're linked to any e-mail address you use with any given Internet service, and has been previously authorized by you. BrowserID is just a proof of concept, the functionality outlined by the proposal would be integrated into Firefox and other browsers, so the application is the one handling the e-mail addresses, not an external web service. As for being identified by an username, one way or another you're also identified by a e-mail address (i.e., when you activate your account), and usernames are probably not going away, since they're a convenient way of differentiating users of the same service.
In addition to the privacy concerns I've raised, I'm also in agreement with Lashiec's point about the security risk of having one's email account as the sole point of failure.
I pondered over this for a while, and I realized the same problem exists with the current identification system, as darkskiez points at lloyd.io
. Of course, the attacker would have to find out which Internet services do you use in order to take over your identity, but he would at least take hold off your account in the most popular ones. That's why it's important to have other measures of protection in place, like double factor identification systems and various e-mail accounts with strong passwords to recover any stolen one.
Another potential security problem is the apparent lack of a way to deauthorize a browser or device, which means if someone steals your laptop or phone, you're in deep trouble. Again, that's something it could be alleviated by the use of a secondary identification method.
In any case, this would be an alternative identification method, there's no reason why sites can't keep the good 'ol username + password system. And it's a better privacy proposition than Facebook Connect, that's for sure.