The Mozilla Identity Team recently released BrowserID, a user-centric identity initiative that uses email as the identifier. The Drupal community, typically quick to support open identity protocols, released support within 24 hrs, which shows how easy it is to implement.
If you read my recent post on the OpenID Foundation, you will know I am disappointed in the direction of OpenID. I am encouraged that BrowserID has many of the core features I was hoping would emerge in OpenID v.Next. There has been a reasonable amount of online coverage of BrowserID, what it is, and how it compares to OpenID. I’ll focus on what I think are important issues that I have not seen covered.
User-centric
Unlike OpenID Connect, BrowserID is user-centric aka Identity 2.0. With the demise of InfoCards and the service-centric approach of OpenID Connect, it is encouraging to see the emergence of user-centric proposals. While in some ways subtle, I think this is an overlooked feature.
Email as Identifier for Others
There has been plenty of discussions on the pros and cons of using email as an identifier. There is an important pro that seems to be missed. It is the only widely adopted, non-proprietary identifier for other people. When you want to share information or communicate to someone online, we usually have an email address for the other person. With the rise of sharing online as supported by Zuckerberg’s Law of Social Sharing, critical function of an identity system is how we identify other people.
Will BrowserID Succeed?
At IIW 11 I led a session on the Decline of User-Centric Identity which tried to cover reasons why InfoCards and OpenID failed to provide a wide spread, user-centric identity solution.
Business Motivation: While the idealists amongst us are keen to promote the “Open Web”, the business reality of running a website will trump idealism for most sites. The BrowserID web site answers questions about how to implement BrowserID, but punts on why an Identity Provider should implement and there is no mention on why a Relying Party will implement. Without appropriate financial incentives, there will be no widespread adoption. The financial incentives of course tend to be indirect: my site has less friction for user registration, I have a deeper relationship with my users etc.
Open Web: Facebook, and to a lesser degree, Twitter, are becoming the defacto identity services on the internet. I currently don’t see any motivation for either Facebook or Twitter to adopt BrowserID — they have their own identity systems which strengthen their respective positions as critical internet infrastructure. While idealists talk about the virtues of “open”, the business driver behind “open” has been to unseat incumbents. As a non-profit whose raison d’être is to ensure the web is open, it is clear why BrowserID came from Mozilla. But why would any of the other players participate? To succeed, the BrowserID community needs to figure out how to bring in enough other players that are motivated to have an alternative to Facebook and Twitter.
Non Browser Support: The web has evolved since the introduction of OpenID. Support for non-browser applications has become critical with the explosion of native mobile applications. Authenticating a user on a mobile device is more cumbersome than the traditional web SSO challenges, and a good solution to mobile SSO can gain significant traction because of the current pain. A number of us in the identity community have commented that if a good solution to mobile SSO emerges, that likely will become the web SSO solution. Unfortunately, BrowserID has been positioned as a web SSO solution, and the lack of native client support is an issue. While BrowserID has many of the right attributes, it may not succeed because it does not solve the new, emerging pain points.
I agree Dick. The motivation is very difficult to get going. I think the big motivation is the Social Web, but smaller players need to learn to take some risks. IT's that or get squashed.
For Non Browser support WebID is the solution, that is webid running on the ssl stack, as every programming language supports ssl. As it happens I think it is easy for WebID and BrowserID to work together. But that is still being discussed. For WebId/BrowserId comparison, see:
Do URLs not go in here? http://security.stackexchange.com/questions/5406/…
Link to post on OpenID Foundation is broken.
Thanks Johannes, fixed.
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
Liked "BrowserID: Will it Succeed Where OpenID Failed?" http://ff.im/-I4vNM
RT @DickHardt: Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/kyXH3JH
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
RT @dickhardt: BrowserID: Will it Succeed Where OpenID Failed? http://t.co/8CqQFHV
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
RT @dickhardt: BrowserID: Will it Succeed Where OpenID Failed? http://t.co/t59bdoE
BrowserID: Will it Succeed Where OpenID Failed? http://goo.gl/1H8CQ by @DickHardt #in
RT: BrowserID: Will it Succeed Where OpenID Failed? http://goo.gl/1H8CQ by @DickHardt #in: BrowserID: Will it Su… http://bit.ly/nH56co
RT @dickhardt: BrowserID: Will it Succeed Where OpenID Failed? http://t.co/8CqQFHV
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
BrowserID: the finer details and does it solve emerging pain points. insights from @DickHardt http://t.co/KkugGuZ
BrowserID: the finer details and does it solve emerging pain points. insights from @DickHardt http://t.co/KkugGuZ
Dick Hardt 的にはそりゃ推すわな http://sgp.cm/3a6243
RT @dickhardt: BrowserID: Will it Succeed Where OpenID Failed? http://t.co/ITHxnQY
Mozilla's BrowserID: Will It Succeed Where OpenID Failed? http://t.co/t144znX
Softwares Reviews and Downloads…
I saw this really great post today.Thank you!…
28…
[…]If God is watching us, the least we can do is be entertaining.[…]…
BrowserID: Will it Succeed Where OpenID Failed? http://bit.ly/pYYEMS (cc: @unhosted)
RT: BrowserID: Will it Succeed Where OpenID Failed? http://bit.ly/pYYEMS (cc: @unhosted): BrowserID: Will it Suc… http://bit.ly/rd7aKB
BrowserID: Will it Succeed Where OpenID Failed? http://bit.ly/pYYEMS (cc: @unhosted)
BrowserID: Will it Succeed Where OpenID Failed? http://bit.ly/pYYEMS (cc: @unhosted)
RT @edwincheese: BrowserID: Will it Succeed Where OpenID Failed? http://bit.ly/pYYEMS (cc: @unhosted @thunder @benadida)
Sometimes its good to just start somewhere and make progess, instead of over-planning
In all honesty, as much as I like the idea of something like OpenID that integrates well, I'll probably only adopt BrowserID grudgingly. I'm already fairly used to using spamgourmet.com (or plain ordinary e-mail aliases on ssokolow.com if spamgourmet addresses are banned) to give every site its own e-mail address.
At least with OpenID, I could delegate ssokolow.com to a provider that'd let me fill in a new e-mail for each site. (And if they'd succeeded with their WebFinger integration idea, I could've had an email-like identifier that exhibited the same behaviour)
With BrowserID, I'd have to either refuse to use it or waste who knows how much time trying to find an equivalent to giving each site a different un-forgeable, revokeable token (spamgourmet e-mail alias) identifying who got hit by spambot harvesters this month.