Saturday, July 16, 2011

Mozilla's BrowserID: Is it a better way to sign in?

Mozilla recently announced a new effort to improve authentication to websites from a browser.  I applaud Mozilla for attempting to solve a problem that is a very real and pressing problem for the average person.  However, I would have preferred if they had taken a different approach.  Here are a few problems I have with BrowserID.

Identity is base on email address.

I don't see a way to user BrowserID unless there is a one-to-one relationship with email address and an account on a web site. While I would highly suggest a site use email as the identity for authentication, sometimes it isn't possible or desired. If you're an existing site with a large base of users, it can be a challenge to completely switch over to email address as the identity. Some sites also need the ability for users to create many aliases which while possible when using email addresses is more than most users can accomplish.
It's complex for the user.
Someone wanting to use BrowserID to authenticate to a site must first complete the initial process of setting up the email account they want to use with the browser and centralized authority.  While not hard it is an extra step that doesn't seem very obvious.

It's complex to implement.
I've read through all the documentation and I'm not 100% sure I know how the complete process works.  Part of my confusion may be the way they've layered the documentation from a simple YouTube video of user experience to source code.  There is no once completely comprehensive document to read yet.  Fairly new existing technologies are used as part of the system and have their own layers of complexity.

I can't implement anything as critical as an authentication system until I know how everything works from beginning to end.  I'm sure this will improve with time but it's complex enough I keep discovering new bits and pieces to how the system truly works as I read more docs/code.  As an example, I didn't know BrowserID used webfinger until I started reading about Verified Email Authentication Protocol, another piece of technology used by BrowserID.

No comments:

Post a Comment