Mozilla Labs, the makers of Firefox browser and Thunderbird, have come up with an experimental browser based single login system called Mozilla Persona. After a user has verified his email address by visiting a link sent to his inbox he can claim ownership and use that email address and a chosen password to login at any site supporting Mozilla Persona, very few at the moment, you will know if a site supports Mozilla Persona when they show the logo.
The main advantages of Mozilla Persona are that it saves surfers from having to remember dozens of different usernames and passwords across sites, it does not leak information to the website you log in and it works across browsers, site authentication only needs Javascript enabled to work .
The Mozilla Persona website is used as authentication backend server holding user’s email details, but anyone can run their own verification server, Mozilla Persona is a decentralized login system. When a user logs into a Mozilla Persona identity provider a set of public/private encryption keys will be created inside the browser using javascript, the public encryption key is then sent to the Mozilla Persona identity provider where it will be used to sign an identity certificate before sending it to the user’s browser for storage.
Any website requiring a user to login using Mozilla Persona will use javascript to prompt the user if wishes to login, if he agrees the browser will send the previously stored browser identity certificate, digitally signed with that user’s private encryption key, the login server will verify the signature asking the Mozilla Persona identity provider for the user’s public encryption key, making sure the digital signature is valid.
The disadvantages of Mozilla Persona are that websites need to support it and since many already support OpenID, Google Account login, Twitter and Facebook connect, they will be wondering if they really need to add even more login plug-ins, another downside is that if your Mozilla Persona provider goes down you will be unable to login to dozens of sites. This is what happened to my OpenID provider some time ago and it was then that I made the decision not to use OpenID anymore, failure of the authentication server or a denial of service attack against the server constitutes a huge risk.
How Mozilla Persona works
Mozilla Persona vs OpenID
OpenID is a more seasoned one click authentication system that shares some common ground with Mozilla Persona, both systems need a single username and password to login across multiple sites and act like a third party authentication server working across browsers, the main differences are:
- Mozilla Persona does not involve the identity provider in the login process whereas OpenID identity providers are part of the authentication process, this means that OpenID identity providers are aware of the sites you are a member of, Mozilla Persona protects your login activities from identity providers, OpenID does not.
- Mozilla Persona has been designed to tightly integrate with the browser with the login process taking part within it, a Firefox add-on is in the making, OpenID redirects you to a website for the login process to take place.
- Mozilla Persona always identifies users with their email address, OpenID authentication process does not always implicate a user email address.
Conclusion Mozilla Persona
I fail to see how Mozilla Persona is any better than a password manager, Mozilla Persona simplifies login across multiple sites by only needing a single password and a password managers will automatically fill in your username/password, not having to type it in, all you need to know is the masterpass, just like with Mozilla Persona ID.
Mozilla Persona can be a good replacement for those endangering their privacy using Facebook connect and Twitter accounts to login at other sites, by using Facebook connect you are giving third party companies access to private data, Mozilla Persona, like OpenID, will stop that, but I am not seeing myself using Mozilla Persona any time soon.
I am very happy with my offline password manager and I believe it is a much more secure login system than using a server that I have never seen or audited to manage my login credentials for dozens of sites.
Note: Mozilla Persona used to be called BrowserID, this post has been updated accordingly.
steelman
BrowserID requires identity provider just like OpenID. The difference is that it’s not supposed to be someone new. Instead it is going to be your mailbox provider. This is because the discovery process involves a web-server with Webfinger data on it associated with every (or nearly every, see secondary identity authorities) mail domain. And that is simply because there is no other protocol to query a write-only resource like jdoe@example.com.
BrowserID is better than a password manager because it is a protocol. A password manager needs some, and sometimes a lot AI to figure out how to fill in the login form. It’s an ugly hack. BrowserID on the other hand is more like HTTP authentication. It’s just one layer above.
As far as security goes, most sites today use e-mail confirmation during registration or password recover (how many of them encrypt login forms?). BrowserID automates this protocol. I feel it’s more about UX than security (however, the crypto parts of BrowserID look quite solid) and I am fine with it. There are sites, however, that I do not wish to use it for which I keep passwords in encrypted in my pocket (KeepassMobile)
Best regards,
s.
Caitlin
Hello Steelman,
Thank you for your contribution, you highlight some very important points about BrowserID and it is an excellent and lucid case in favour of BrowserID, but I am just very happy with my offline password manager (StickyPassword) and I don’t see any sturdy reason for me to give it up in exchange for something else, I am very wary of trusting online services, I rather go offline and have total control over my usernames and passwords always that is possible.
I trusted Lastpass with my usernames and passwords in the past until they had what they called a “possible hacking incident”, I learned my lesson, no matter how good a company says their servers are (Lastpass always claimed they were hacker proof), nothing is hacker proof, and when it comes to servers storing data worth lots of money, there will be hacking attempts for sure, so I rather go paranoid with my data and store it encrypted locally in my own computer, even if I lose features, I get extra peace of mind.
Best wishes,
Caitlin
steelman
I use an offline password manager for some sites too. The important ones like my: web-hosting, root password for some server etc. However there are several sites that are somewhat less important for me. Or maybe I should say that damage that can be made to me (I hope the sites have security measures good enough to prevent damage I can make) by someone impersonating myself is not so critical. Let’s call it “risk management”. In fact I don’t use any online password manager at all but I put those less critical passwords in an unencrypted store of my browser. Why? Because it’s easier than switching half a gross times a day.
I don’t recommend anyone using OpenID or BrowserID for stuff that is really important. But like in the real life there are places (clubs, gyms, cinemas) where you identify yourself with a piece of plastic that is a lot easier to counterfeit than BrowserID crypto and you don’t care that much if you lose that card. BrowserID is a way of quite (95% for me) accurate identification. Imagine going to a swimming pool where you bought a one-month pass and you don’t have to keep any card with you (think manage username password pairs for websites) because the guy at the door knows you well enough to just ask your name and knows if you’re saying truth. Really knows not only trusts.
(Phew that’s getting long)
As far as SPOF problem you’ve got with Lastpass I recommend taking the advantage of the distributedness and running your own OpenID/BrowserID authority. I do it and I am quite sure no one would try to hack well protected (I trust my web-hosting company does a good job) host just to get a single set of credentials for not-so-important sites.
Best regards,
s.
Anonymous
BrowserID aims to pull authentication entirely within the browser. The current provider via browserid.org exists for compatibility purposes, and via browserid.org I can understand why it doesn’t look much better than OpenID from a user’s perspective (though from a technical perspective I think the protocol seems saner). But once it gets pulled into the browser, it provides single-sign-on via crypto, with no passwords involved, and no dependence on a third-party authentication provider.