Mozilla Proposes Master Password System - InformationWeek
Mobile // Mobile Applications
06:35 PM
Connect Directly
7 Key Cloud Security Trends Shaping 2017 & Beyond
Dec 15, 2016
Cloud computing is enabling business transformation as organizations accelerate time to market and ...Read More>>

Mozilla Proposes Master Password System

BrowserID aspires to solve the problems posed by passwords, even if OpenID is already on the case.

Mozilla's Webian Shell: A Web-Only Operating System Layer
Slideshow: Mozilla's Web-Only Operating System
(click image for larger view and for slideshow)
Mozilla on Thursday introduced BrowserID, a system for signing in to different websites using a single email address as a common account identity.

BrowserID aims to relieve users of the burden of maintaining different user IDs and passwords for every site. Of course, not everyone bears this burden: Many users disregard security advice and maintain identical or similar account names and passwords across different websites.

BrowserID could also help developers by alleviating the need to implement email verification and by allowing developers' sites to provide a better user experience.

The way the system is supposed to work is simple for the end user: Click a sign-in icon at a BrowserID-compliant site, get redirected to the BrowserID site, enter one's email address and a new master password, receive a verification email, and click on the verification link. Thereafter, clicking a sign-in icon at any BrowserID-compliant site allows the user to login using his or her verified email address, simply by selecting the address from a menu.

On a technical level, BrowserID is a cryptographic scheme to prove email account ownership to a given website.

While major web companies may prefer that users accept their login and identity systems, Mozilla's Dan Mills suggests users are better off trusting an open-source, community-focused organization.

"Outsourcing login and identity management to large providers like Facebook, Twitter, or Google is an option, but these products also come with lock-in, reliability issues, and data privacy concerns," he said in a blog post.

OpenID, a decentralized authentication system supported by AOL, Google, IBM, PayPal, and Yahoo, among others, was meant to provide just such a non-proprietary alternative. But Mozilla argues that OpenID falls short.

"What we've learned from several years of experience with OpenID (and related protocols) is that this isn't quite good enough: establishing an identity token, in isolation from the rest of the web, doesn't actually help a site engage with its users," the company says on its website.

Mozilla acknowledges that its system requires further work before it is secure. For example, the company's documentation notes that a mail host administrator could take control of users' email accounts, a risk for any system but one of particular concern if one's email address becomes a means of authentication across the web.

The problem however goes beyond ill-intentioned administrators: Establishing a system that makes email accounts the keys to every website would only increase efforts by malicious hackers to take over email accounts. Law enforcement authorities might also recognize the value of a key that opens every locked account associated with a given user.

But BrowserID also has advantages beyond ease of use and deployment: It has been implemented entirely in HTML and JavaScript and it doesn't leak information back to any server about the sites a user visits.

Mozilla is encouraging interested parties to visit the BrowserID website to try the system out and perhaps contribute code to improve it.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll