Main Area and Open Discussion > General Software Discussion

BrowserID - Mozilla's solution to the password problem

(1/6) > >>

Lashiec:
The guys at the Mozilla Foundation unveiled today a clever solution to the problem posed by maintaining several different accounts for all the Internet services the average Internet user handles daily. The solution is called BrowserID, and it combines your e-mail address and browser client to identify yourself in the Internet, effectively eliminating the need to juggle several different identities and all the passwords associated to them. This is an idea that Mozilla has been working on for a few years, but only now we're able to see the first results yielded by the research.


While it certainly improves usability, specially for those less technically inclined, there are potential security concerns that Mozilla isn't clearing at the moment. For starters, this method would transform your e-mail account into the sole point of failure, which if compromised, could jeopardize your entire digital identity.

More information, including an interactive demonstration, is available at the link above. Documentation and technical details are on a separate blog post.
via Slashdot

cyberdiva:
I'm somewhat confused.  Does BrowserID assume that I always use the same browser?  Or the same computer?  I also use a variety of email addresses.  I'm not eager to have these addresses brought together by BrowserID.  Nor do I want to be identified by my email address rather than by a username I choose.  I realize that BrowserID is in an early stage, but from what I've seen I wouldn't dream of using it. 

In addition to the privacy concerns I've raised, I'm also in agreement with Lashiec's point about the security risk of having one's email account as the sole point of failure.

40hz:
Strikes me as somewhat akin to bringing in Manchu scorpions to get rid of ants.  :P

wraith808:
Personally, I like the idea of OpenID.  I just wish more sites would support it.  :-\

Lashiec:
I'm somewhat confused.  Does BrowserID assume that I always use the same browser?  Or the same computer?  I also use a variety of email addresses.  I'm not eager to have these addresses brought together by BrowserID.  Nor do I want to be identified by my email address rather than by a username I choose.  I realize that BrowserID is in an early stage, but from what I've seen I wouldn't dream of using it.
-cyberdiva (July 15, 2011, 06:41 PM)
--- End quote ---

Well, no. As I understand, you can use as many browsers and devices as you like, as long as they're linked to any e-mail address you use with any given Internet service, and has been previously authorized by you. BrowserID is just a proof of concept, the functionality outlined by the proposal would be integrated into Firefox and other browsers, so the application is the one handling the e-mail addresses, not an external web service.  As for being identified by an username, one way or another you're also identified by a e-mail address (i.e., when you activate your account), and usernames are probably not going away, since they're a convenient way of differentiating users of the same service.

In addition to the privacy concerns I've raised, I'm also in agreement with Lashiec's point about the security risk of having one's email account as the sole point of failure.

--- End quote ---

I pondered over this for a while, and I realized the same problem exists with the current identification system, as darkskiez points at lloyd.io. Of course, the attacker would have to find out which Internet services do you use in order to take over your identity, but he would at least take hold off your account in the most popular ones. That's why it's important to have other measures of protection in place, like double factor identification systems and various e-mail accounts with strong passwords to recover any stolen one.

Another potential security problem is the apparent lack of a way to deauthorize a browser or device, which means if someone steals your laptop or phone, you're in deep trouble. Again, that's something it could be alleviated by the use of a secondary identification method.

In any case, this would be an alternative identification method, there's no reason why sites can't keep the good 'ol username + password system. And it's a better privacy proposition than Facebook Connect, that's for sure.

Navigation

[0] Message Index

[#] Next page