Mozilla Proposes Master Password System - InformationWeek
Mobile // Mobile Applications
06:35 PM
Connect Directly
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Mozilla Proposes Master Password System

BrowserID aspires to solve the problems posed by passwords, even if OpenID is already on the case.

Mozilla's Webian Shell: A Web-Only Operating System Layer
Slideshow: Mozilla's Web-Only Operating System
(click image for larger view and for slideshow)
Mozilla on Thursday introduced BrowserID, a system for signing in to different websites using a single email address as a common account identity.

BrowserID aims to relieve users of the burden of maintaining different user IDs and passwords for every site. Of course, not everyone bears this burden: Many users disregard security advice and maintain identical or similar account names and passwords across different websites.

BrowserID could also help developers by alleviating the need to implement email verification and by allowing developers' sites to provide a better user experience.

The way the system is supposed to work is simple for the end user: Click a sign-in icon at a BrowserID-compliant site, get redirected to the BrowserID site, enter one's email address and a new master password, receive a verification email, and click on the verification link. Thereafter, clicking a sign-in icon at any BrowserID-compliant site allows the user to login using his or her verified email address, simply by selecting the address from a menu.

On a technical level, BrowserID is a cryptographic scheme to prove email account ownership to a given website.

While major web companies may prefer that users accept their login and identity systems, Mozilla's Dan Mills suggests users are better off trusting an open-source, community-focused organization.

"Outsourcing login and identity management to large providers like Facebook, Twitter, or Google is an option, but these products also come with lock-in, reliability issues, and data privacy concerns," he said in a blog post.

OpenID, a decentralized authentication system supported by AOL, Google, IBM, PayPal, and Yahoo, among others, was meant to provide just such a non-proprietary alternative. But Mozilla argues that OpenID falls short.

"What we've learned from several years of experience with OpenID (and related protocols) is that this isn't quite good enough: establishing an identity token, in isolation from the rest of the web, doesn't actually help a site engage with its users," the company says on its website.

Mozilla acknowledges that its system requires further work before it is secure. For example, the company's documentation notes that a mail host administrator could take control of users' email accounts, a risk for any system but one of particular concern if one's email address becomes a means of authentication across the web.

The problem however goes beyond ill-intentioned administrators: Establishing a system that makes email accounts the keys to every website would only increase efforts by malicious hackers to take over email accounts. Law enforcement authorities might also recognize the value of a key that opens every locked account associated with a given user.

But BrowserID also has advantages beyond ease of use and deployment: It has been implemented entirely in HTML and JavaScript and it doesn't leak information back to any server about the sites a user visits.

Mozilla is encouraging interested parties to visit the BrowserID website to try the system out and perhaps contribute code to improve it.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll