Authentication

Introducing BrowserID – easier and safer authentication on the web

Security on the web is more important than ever. Almost weekly reports of exploits of information and leaks into the public make it hard for a lot of people to trust the internet.

One of the main annoyances is that every service expect us to have a login and password. As we use lots of services this means we have to remember a lot of login names and passwords. People deal with this in various ways. The most dangerous is using a simple password across different services. Another way is to not bother remembering your secure password and instead re-set it every time you come back to the site you want to access by going through a verification by email. This could also be a very dangerous approach – especially when the site you log in to sends your password as plain text rather than forcing you to create a new one. In any case, you spend a lot of time running in circles between you, the site you want to access and your email client.

There were a few ideas in the past how to work around the issue of logins and passwords. OpenID was the most ambitious one, but failed to get traction in the main market as having a URL as your identifier seemed alien to a lot of end users.

Taking the lessons and learnings from the mistakes of OpenID and other approaches Mozilla Labs is now proposing BrowserID which moves from domains and sites to emails as your main identifier. In essence, we promote the “password recovery” mechanism of the traditional login approach to your main point of access.

What is BrowserID?

BrowserID aims to offer you one single log-in to web sites and services, connected through your e-mail address (with the option to add more than one e-mail to the same account). The core idea is that you will always remember your e-mail address instead of a made-up user name or URL.

The main pillars of BrowserID are:

  • Ease of use
  • Security
  • Cross-browser implementation
  • Decentralized, web-wide validation
  • Improved experience in future browsers
  • Respecting the privacy of the user

Using one e-mail address and a master password, you only need to activate and verify your account once. As BrowserID is implemented with the Verified E-mail Protocol it has built-in security. Furthermore it offers a verification service to check against.

It works cross-browser, both on desktop and mobile, and it’s decentralized so that anyone can chose to implement it on their web site. Respecting user privacy is a very important factor for Mozilla. Therefore no information is shared with any service about your BrowserID usage (check the BrowserID Privacy statement for more information).

What makes it even more enticing in the long run is that BrowserID could be implemented natively in the web browser, for example through the URL bar, where the user could choose to log in/out. This will make it an even more secure measure against phishing and other attacks, and give end users the most consistent and reliable experience.

Try it out

If you want to try an example, you can go to the TextChannels web site, create a BrowserID account and sign in with it.

After you have created a BrowserID account at TextChannels, you can go to our other test web site and see how easy the experience is when you have a BrowserID account.

Here is a video explaining the procedure:

How to implement BrowserID

If you want to use BrowserID in a web site, you have to go through three main steps:

  1. Enable BrowserID
  2. Identify the user
  3. Verify the User’s Identity

Enabling BrowserID is quite easy: simply include the BrowserID JavaScript in your web page. Then add an event handler to a sign in button in your web page. This button will be used to identify the user. When that is done, you need to verify that user’s identity on the server-side. This can be easily done through the BrowserID verification service.

Here’s some complete sample code:

<img id="sign-in" src="https://browserid.org/i/sign_in_green.png" alt="Sign in">
 
<script src="https://browserid.org/include.js"></script>
<script>
  document.getElementById("sign-in").addEventListener("click", function () {
    navigator.id.getVerifiedEmail(function(assertion) {
      if (assertion) {
          /*
              User has successfully selected an email
              address they control to sign in with.
          */   
      } else {
          // The user is not logged in
      }
    });
  }, false);
</script>

When you successfully received the assertion, send a request to https://browserid.org/verify with two GET parameters. For instance:

$ curl "https://browserid.org/verify?assertion=<ASSERTION>&audience=mysite.com"
{
  "status": "okay",
  "email": "lloyd@mozilla.com",
  "audience": "mysite.com",
  "valid-until": 1308859352261,
  "issuer": "browserid.org:443"
}

How does it work?

If you want to delve deeper into the flow and inner workings of BrowserID, check the How BrowserID Works article.

BrowserID is experimental – help us

Please note that while Mozilla Labs is putting a lot of work and thought into BrowserID, its current state is experimental. That means that it is not recommended to use in any real-world production web sites at this moment.

BrowserID is something Mozilla believe to be very beneficial to the web, but we need your help! Please try BrowserID out as a user, play around with the code and give us feedback! We are working on making this a great asset for users and developers alike, and any input we get will make it easier and faster to reach that goal!

View full post on Mozilla Hacks – the Web developer blog

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Sr. C# / Java Web Server Business Security Application Authentication Engineer

QinetiQ North America Chantilly, VA
Job description: …Solutions Group is seeking a Sr .Net Business Security Application Authentication Engineers for our program near Fairfax…and/or Apache and/or Tomcat and/or JBoss web servers. (possibly with WebLogic, WebSphere, others). … View full post on Dice.com – web security

View full post on WebProJobs.org

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Authentication Services Tech Ops Analyst role

JPMorgan Chase Columbus, OH
Job description: …is required.   Other required skills: Intermediate knowledge of web server platforms, (e.g., iPlanet, Apache, IIS).Intermediate server administration skills, especially UNIX/Linux administration.Intermediate… View full post on Dice.com – web

View full post on WebProJobs.org

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

PKI Authentication Engineer – contract to hire

Collabera Dallas, TX
Job description: …equivalent preferred Strong Authentication / PKI subject matter expert preferred To set up an interview please contact:Radhika PatelCollabera Ph: 704-893-3130radhika.patel@collabera.comWeb: www.collabera.com A CMMI Level 5 Organization View full post on Dice.com – web

View full post on WebProJobs.org

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Adaptive Authentication Java Developer

Clearbridge Technology Group NY, NY
Job description: …JAVA development experience (preferably with Java security) on Linux and AIX systems Deep understanding of Adaptive Authentication technologies on Linux and AIX systems Development experience on Java Adapters and Web Services Must possess excellent communication skills… View full post on Dice.com – web security

View full post on WebProJobs.org

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Authentication Specialist~

Symantec Mountain View, CA
Job description: …authentication and verification) of new and renewal customer enrollments to ensure the delivery of a trusted product The Authentication Specialist ensures the following tasks are completed by following our policies and procedures: o Determine if customer's… View full post on Dice.com – Search Specialist

View full post on WebProJobs.org

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)