Yesterday the Mozilla Labs Identity Team announced their experimental new project called BrowserID to the public. This new open source project is the latest available single sign on (SSO) solution and is being touted as a better alternative to other mainstream login and identity management solutions currently offered by the likes of Facebook, Google, and Yahoo who have built theirs around OpenID. The problem with the current mainstream OpenID SSO’s of course are numerous, whether they be data protection issues, vendor lock-ins, or the complexity of implementation.
Mozilla believes they can simplify and solve these issues with a “one-click experience” that does not require any additional verification and that it is designed to work on all websites and browsers including mobile. Currently the system works through HTML and JavaScript however Mozilla eventually hopes that BrowserID will be built straight into major browsers by default. The only prerequisite for this one-click SSO solution is to complete a routine email address confirmation process prior to using it.
The email confirmation process relies on Mozilla’s Verified Email Protocol which means that instead of having a new token created for each authentication, the same unique email address can be used in lieu. The site will then verify the email address and its user via public-key cryptography. The logic is that the “proof of control” for an email address is greater than a simple arbitrary username and password combination which may differ site to site. Mozilla believes that email hosting services presumably have better infrastructure for checking a persons identity than most web sites do and thus using the email address as the user is a safer solution then allowing new usernames and passwords to be created for each individual site.
Perhaps the biggest difference to other SSO solutions such as OpenID is that unlike other systems, apparently BrowserID does not need to send any information to the server about the web site being visited, not even to the BrowserID server, which means the user potentially gets far greater anonymity.
While BrowserID is still explicitly being labelled as “experimental”, Mozilla has already put up a small tutorial for interested developers. They’ve also set up a simple demo over at http://myfavoritebeer.org/ for people to try out. If you want to check out the code you can do so at github. It will be interesting to see if this takes off as Mozilla hopes. You can watch a brief intro video below presented by Dan Mills.