Slideshow: Mozilla's Web-Only Operating System

(click image for larger view and for slideshow)

BrowserID aims to relieve users of the burden of maintaining different user IDs and passwords for every site. Of course, not everyone bears this burden: Many users disregard security advice and maintain identical or similar account names and passwords across different websites.

BrowserID could also help developers by alleviating the need to implement email verification and by allowing developers' sites to provide a better user experience.

The way the system is supposed to work is simple for the end user: Click a sign-in icon at a BrowserID-compliant site, get redirected to the BrowserID site, enter one's email address and a new master password, receive a verification email, and click on the verification link. Thereafter, clicking a sign-in icon at any BrowserID-compliant site allows the user to login using his or her verified email address, simply by selecting the address from a menu.

On a technical level, BrowserID is a cryptographic scheme to prove email account ownership to a given website.

While major web companies may prefer that users accept their login and identity systems, Mozilla's Dan Mills suggests users are better off trusting an open-source, community-focused organization.

"Outsourcing login and identity management to large providers like Facebook, Twitter, or Google is an option, but these products also come with lock-in, reliability issues, and data privacy concerns," he said in a blog post.

OpenID, a decentralized authentication system supported by AOL, Google, IBM, PayPal, and Yahoo, among others, was meant to provide just such a non-proprietary alternative. But Mozilla argues that OpenID falls short.

"What we've learned from several years of experience with OpenID (and related protocols) is that this isn't quite good enough: establishing an identity token, in isolation from the rest of the web, doesn't actually help a site engage with its users," the company says on its website.

Mozilla acknowledges that its system requires further work before it is secure. For example, the company's documentation notes that a mail host administrator could take control of users' email accounts, a risk for any system but one of particular concern if one's email address becomes a means of authentication across the web.

The problem however goes beyond ill-intentioned administrators: Establishing a system that makes email accounts the keys to every website would only increase efforts by malicious hackers to take over email accounts. Law enforcement authorities might also recognize the value of a key that opens every locked account associated with a given user.

But BrowserID also has advantages beyond ease of use and deployment: It has been implemented entirely in HTML and JavaScript and it doesn't leak information back to any server about the sites a user visits.

Mozilla is encouraging interested parties to visit the BrowserID website to try the system out and perhaps contribute code to improve it.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.