Mozilla tackles single sign-on with BrowserID

Launch of new project aims to make multiple logins and passwords a thing of the past.


Mozilla late yesterday launched a new experimental project, called BrowserID, to make it easier for users and developers to handle the sign-in process for websites.

The project uses existing email addresses to replace the login and password details for all of the sites a user may want to log into, such as Facebook, Google or Twitter.

Advertisement - Article continues below

Described by its development team as a "snazzy passphraseless login flow," the project uses a new Verified Email Protocol' from Mozilla that is based on public key cryptography.

Dan Mills, Mozilla Labs engineer, said in a blog posting that the open source protocol enables the project to offer this new approach to universal login.

"Sites get proof of ownership using public key cryptography," he wrote.

"But don't worry, we have a verification service so you can get started without writing a single line of crypto code."

When a user logs into a website BrowserID intercepts the request, allowing them to choose any one of the email addresses they must have already registered with the service in order to authenticate their login.

The one-time verification of email addresses when a user first registers with BrowserID allows the service to use crypto keys in order to vouch for the user's ownership of them, so the website that the user is signing into does not need to.

Advertisement - Article continues below
Advertisement - Article continues below

The success of the service will be largely reliant on getting email service providers to get involved. In return, they will be able to access the data collected on the sites that users log into using BrowserID.

But Mozilla said this would still be a more secure method of password management, as the data will only reside on BrowserID servers.

While single sign-on systems like OpenID have been around for some time now, Mozilla said BrowserID offered a better alternative to identity token-based protocols because its keys worked with the authentication service already provided with email accessed via the web.

In the wiki documentation describing the Verified Email Protocol, Mozilla stated: "A number of web-scale identity proposals start by creating a new identity token for example a user ID or personal URL and go on to describe how to use that token to authenticate the user."

By using existing email addresses, Mozilla claims its system eliminates the need to register an identity token every time the user wants to log into a new website. It said this would make it easier for users and developers to adopt.

And the prototype uses JavaScript and HTML to enable its use on the latest web and mobile browsers.

The company has launched a new website to host links to the BrowserID source code and specifications, designed to encourage end users and website owners to get involved.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



K2View innovates in data management with new encryption patent

28 May 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020