Identity in the Browser

Mozilla

40

Weave ID video screencast

The current state of identity on the Web is not so great.

Much of the ongoing discussion and efforts around user identity on the Web focuses on tying identities to new or existing networks and using various protocols for federating it. User experience in general suffers as protocols for federation (e.g. OpenID) involve complex redirects which jump the user from page to page and leave them open to phishing attacks–not to mention other “ajax” methods which are even worse from a security standpoint.

So last week the Weave team took advantage of the Mozilla all-hands, and decided to sprint on the Weave Identity component to open it up to the Web. After only a few days of hacking we came up with some very exciting stuff to share!

Our sprint changes the browser to provide single-click login to sites with saved passwords as well as sites that support a federated identity (OpenID in this case). It also provides the option to automatically sign in when the page is loaded, essentially providing a single-sign-on-like experience regardless of the login method being used. In the case of OpenID, we intercept the login procedure and, taking advantage of the fact that you’re already logged into your browser, and then use Weave identity to let you into the site.

Why?

Something that often goes unsaid in the discussion about online identity is that while most websites right now require usernames and passwords, many people actually use the password manager feature in the browser–effectively turning their browser into a limited identity manager. So one of the things we can and should be looking at is how to improve the existing identity manager to better serve our users’ needs.

In this context, Weave Sync already improves it by synchronizing your login information across devices–so when I use Fennec I don’t need to type in my login information, because they get pulled down from the cloud. But we can go further, in two ways:

First, the Weave framework includes an identity component which is currently used exclusively for Weave Sync. What happens when we integrate it with the browser and open it up to content?

Second, part of the appeal of federated identity management is about single sign-on and automated provisioning. Can we improve the user experience of the current system to provide some of those features?

Part of the guiding force here is that we think that regardless of the inner mechanism (a federated identity, a simple username and password, or something else), in the end the action of logging in is essentially the same. Therefore, as the browser we should try to provide a similar experience, regardless of the method being used. As the user’s agent we should also strive to act on the user’s behalf when possible, and we believe this is one of those cases.

Keep in mind that this is just a prototype that we hacked together in a few of days, so there are some very rough edges. But we’re super excited about the possibilities already. When demoing it to people, they said things like “whoa! how did you do that?” and “I want this! How do I get it?”

The answer is, “soon”, or if you’re brave/impatient enough you can try it out right now by installing the latest Weave development snapshot. Please let us know what you think by posting on the Weave forum!

– Dan Mills, on behalf of the Weave development team

40 responses

  1. Ryan Li wrote on :

    Seems that the openid feature is removed now in Fx 4? I cannot login to my stackoverflow account any more.

  2. Dan Mills wrote on ::

    Randall,

    Not at this time, sorry! We are aware of the problem and are working on a solution.

  3. Randall wrote on ::

    I’ve been using Weave for a few months now, but just today I noticed that I’ve lost the ability to specify an OpenID provider when logging into openID Services (via RPX). All I see is a “sign in” button, which seems to be pulling the wrong openID provider.

    Is there any way to change this?

  4. Dan Mills wrote on ::

    Thanks for all the feedback everyone, we’ve learned a bunch with this experiment and will continue trying to improve this area of the Web.

    For those who have wondered what the theme is in the video, it is Personas, another Mozilla Labs project:

    http://www.getpersonas.com/

    The particular persona I used during the video is this one, you can try it after you install Personas:

    http://www.getpersonas.com/persona/06

  5. wushaoqin wrote on :

    By the way, I really like the firefox theme in this vedio, could you please give me a weblink or tell me the name? i am looking for it all the day….Thanks a lot.

  6. Mark wrote on ::

    Very nice idea. I still have some concerns about storing important info “in the cloud”. Could there be the option to only use local login data?

    Also, why stop at only login info that has already been filled in? Why couldn’t Mozilla detect login/signup forms, generate secure passwords, use a default email address, and simply store that? If using the cloud storage, the whole thing would involve only choosing to click a “Sign up using Weave” button, and we wouldn’t even have to know the password.

    This all does rest on the security of Weave and Firefox, of course.

  7. exavolt wrote on :

    I can’t register Weave account.
    I got through step 3. It asked to input words I can see in the image, but there’s no image.

  8. Galvorn wrote on :

    I can’t add mozilla’s openid to my wordpress blog. Now to log in I need to completely disable weave. There should be some way to enable/disable this on a page by page basis.

  9. Henry Story wrote on ::

    There is a way to use simple ssl certificates to get single sing on to work in existing browsers using the foaf+ssl ‘protocol’. See iPhone demo for example at

    http://blogs.sun.com/bblfish/entry/one_click_global_sign_on

    The advantage of that system is that it brings your social network with you. Perhaps this could be linked into weave too?

    For more on foaf+ssl see the specification:
    http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to

    There are a lot of examples on the foaf+ssl wiki, though we need to make them easier to understand.

  10. Mehrad wrote on :

    I used your add-on on a beta Firefox and it is really awesome.
    I have a question that maybe it seems a lilte bit wiered but your Theme on a Weave video guide is really a inspiring one. I really ilke it.
    I use Personas for Firefox and really wanna know which theme you use and is it for windows firefox edittion or not.

    Thanks in advance for a help ;)

  11. Charlie wrote on :

    Here’s something I don’t get: browsers, including firefox, already have an incredibly strong identity/authentication system built-in. They’ve had it for years. SSL certificates are a widely used, universally recognized standard in all kinds of situations where security is a major concern.

    Couldn’t we have some effort to simply make these things easier to work with in the browser ui? Like auto-generating a new keypair and self-signed certificate in the case where you guys are talking about auto-generating a strong password? Either of these is an impossible-to-remember chunk of data, so you might as well make it good.

    If browser makers, security experts, and the creators of some major websites could cooperate on this, I would think we could put together an awesome system where a user simply signs into the browser, and then has controls somewhere in the chrome for logging in and out of whatever site they’re on and controling what information they provide to that site.

  12. 墨尔本 wrote on ::

    I guess it’s a better solution to integrate identification in the browser.

  13. Wahid wrote on :

    Hey Dan
    Nice feature. I relly hope to see the weave integrated in coming FF release.

    just wondering what theme you are using in the demo? The theme and customization looks great. Can you pls let me know the name of the theme you are using?

  14. frank burns wrote on :

    I made a comment similar to this on another post and it goes like this; If every user that connects within the Google sites has their own preferred image, you run this image through the spectrograph at Stanford embedding code into it. If the image, one on your servers and one on the users home computer is tampered with then you would also have reasonable grounds to permanently ban that person from their accounts. The more you research into imagery the better Google bot will understand what to apply to it. Thank You

  15. Tigerix wrote on :

    @Daniel E:
    In response to your post.

    1. Isn’t it already strong!?

    2. An integrated random password generator should be a must have in Firefox!

    3. This would be excellent. As far as I know OpenID provides an easy way for 3rd party sites to access identity information.

    4. Storing Notes (even encrypted) would also be a very nice and useful addition to Firefox.
    So I would be able to store & show notes of pages I am visiting.

  16. Tigerix wrote on :

    Simply great guys!
    Can’t wait to get this feature live. :)

    PS: Since ages I wondered why people need to use extra software for this to do – it should be in the browser – so its great that Firefox is the first one to start with this off!!

  17. shahar Eldar wrote on ::

    well, this is all fine and good but I find that very often my browser is used by people other than myself, significant others, friends, and so on sometimes want to sit down at the computer and use it for a bit… it seems like any feature that auto-logs in would be an invitation for privacy issues, this in effect makes the browser like an OS… it would almost require a browser “guest mode” …

    just a few thoughts not really sure how to solve this issue

  18. Sir_Sid wrote on :

    Im very excited for this!

  19. Andrew Conkling wrote on ::

    Really like the idea. Quick feedback: the Location Bar button should only appear if the page supports sign-in. And there should be an option to turn it off. (Am I the only one who finds that additional buttons become accidental clicking points when subscribing to RSS or bookmarking?)

    Also, saving your passwords is only as good as your Firefox saved passwords, so you should probably set a Master Password to hide your Weave password and encryption passphrase. And if Firefox/Weave could consolidate all of the UI that’d be awesome. Three layers of passwords becomes unmanageable.

  20. Daniel wrote on ::

    wow this is such a goof idea, especially for users, however it duz have one small downfall with this feature anybody who has access to your computer when your not aeound can access your information on the sites.

  21. Daniel Einspanjer wrote on ::

    I’ve been using an extension called Sxipper for a while now to provide similar functionality. They had talked a while back about getting tighter integration with Weave to store their identity data, but adding this feature would make weave more of a competing service than a facilitating one.

    The major features that I have always looked for in a password manager are:
    1. Strong encryption with a master password
    2. Option to randomly generate and save a password for each site.
    3. Identity management – Ability to optionally fill in registration information such as name, address, and when purchasing something, credit card info. Obviously, feature #1 is an absolute requirement for me to use this.
    4. Easy backup and synchronization – I have hundreds of logins saved for all the different services I have found cause to register with over the years. I also use encrypted notes to store other information such as passwords to remote servers, and important personal information such as policy numbers.

  22. Ben wrote on :

    I installed Firefox 3.5 just to try this Add on and it did not disappoint! I really love the whole idea of Weave, and this new feature of being able to have one click login is great. Weave has the ability to replace other Add-ons that were good but did not work as well. I think that a complex password generator that would create complex passwords would be a great feature as suggested above. when you first sign up for a page you could click a generate button to create a complex password. Possibly using a hash of the website and user name, while using the master password as the key to generating the hash. I have enough passwords to remember so I am like everyone else and start using the same one’s over and over.

  23. Richard wrote on ::

    Installing the Weave Dev version on 3.5b4 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 (.NET CLR 3.5.30729)) causes an unresponsive script on browser start – can’t remember the exact file name, but it was something to do with NS and flush or something.

    Had to stick fx into safe-mode and uninstall the extension.

    If you want more details/for me to replicate and get exact filename let me know.

  24. Alexander wrote on ::

    Wow this is a great idea, like a few people said above, I don’t know why this hasn’t been done before, logging in to your browser and from their logging in automatically to any website is brilliant.

    And doing it with an existing extension is even better than having to install another one.

    Great job guys, keep up the great work done so far.

  25. cbeard wrote on ::

    @Chris Quackenbush: passwords are not stored in cleartext on the server, they are encrypted using AES2 encryption. we did this on purpose as we believe that no one besides you, the user, should have access to your personal data (including logins, bookmarks, browsing history, etc.) unless you explicitly delegate access, and even then, it should be secure & revocable. totally understandable that this isn’t clear though given the industry norm today is to give service providers full access to all of your data.

  26. Gil wrote on :

    @Chris Quackenbush: What makes you think it’s stored in cleartext?

    Anyway, this is great, really innovative and one of the reasons I keep coming back to Mozilla for my browsing.

  27. sky wrote on :

    This is absolutely great. One BIG required feature is a *Logout* button along with and integrated for Basic/Digest HTTP authentication.

    One of the big reasons sites stopped doing web authentication the right way, was that the integrated browser UI for logout was non-existent.

    Please don’t make that mistake the second time around.

  28. Johannes Ernst wrote on ::

    Excellent direction. Looking forward to seeing this move from a prototype into the Firefox main line.

    Have you considered implementing it in a way that does not require the use of Weave?

    Also, it will be paramount to support multiple identity providers; that will likely require some GUI support.

  29. Chris Quackenbush wrote on ::

    I’m sorry guys, but I have to strongly disagree with your entire approach here. Storing passwords in cleartext on the server is super dangerous. If this makes it into a release version of Firefox people will definitely use it for not only forums and bug trackers, but for banking and email passwords.
    Right now, FF stores passwords on my hard drive, so I can control the security of identity by controlling the physical security of my computer. I trust Mozilla, but what will happen if you make a mistake and a bunch of people have their identities stolen? This type of thing happens all the time. Maybe you guys have thought of this and are doing something clever to not store passwords in the clear, but this blog post didn’t seem concerned with security at all.

  30. Pascal Finette wrote on ::

    This is totally awesome – especially as it makes the whole OpenID process significantly more secure AND allows to get rid of persistent log-in cookies (Weave and/or the browser can simply delete them automatically as they are not needed anymore – which, as a side effect, solves quite a few problems with privacy and cross-site tracking).

    Nice.

  31. Shahid wrote on ::

    Dan – great work, it looks like Weave is doing great.

    Just one comment on the UI – I think the icon on the right of the URL bar makes a lot of sense, but it might be worth reducing it to a simple icon with only two states (much like the favourites icon). I see there are different colours right now, presumably for different login types – my opinion is that majority users don’t mind what their login type is, just whether they log in or not. Also, when you log out, the icon doesn’t go back to grey – I think it’d be great to be able to use it as a persistent UI element that tells you simply whether you’re logged in or not on the website you’re viewing right now.

    On another note, I like having this function both on the webpage itself AND in Chrome. Great for fullscreeners, those with different habits, and it doesn’t require folk to learn a new interaction. Great stuff!

  32. Mike Beltzner wrote on :

    Nice work, guys! I especially like how you’re skipping the “what’s the SSO/federation choice of the future” argument by just saying “meh, who cares, this is the browser’s responsibility.”

    This also has some great antiphishing implications, as it puts the sign-on ritual into chrome-space, which gives us the first step towards supporting better username/password exchange mechanisms like SRP.

  33. Kris Walker wrote on ::

    Wow, thanks to everyone on the weave team for sprinting through this and getting workable version out there to try out… And thanks for posting the video for those of us who do not have access to a weave server.

    I really believe the next generation of the web is going to depend much more heavily on the user agent, especially when it comes to authentication management. There is an interesting article on Read Write Web that brings this up several times ( http://www.readwriteweb.com/archives/firefox_could_be_the_real_facebook_challenger.php ).

    I wholeheartedly agree with this idea, but I think open ID is a weak implementation. The redirect required by open ID in combination with the more complex login is exposing too much of the raw underbelly of authentication to most users. To most of my test users, open ID seems harder to use… not easier. For this idea to jump into the mainstream, our community is going to need a better standard… Perhaps one based in the browser like the weave team demonstrated here?

  34. fabpsi wrote on :

    That’a great idea.
    I’m currently using LastPass addon for a similar experience (with a yubikey which is even more secure).

    The identity problem on the web is also a security one. It would be great if Firefox could deal with it.

  35. Mardeg wrote on :

    I’d like to see in Weave the ability for secure generating of passwords based on a master password hashed with the site domains included, see https://bugzilla.mozilla.org/show_bug.cgi?id=356855 or
    https://bugzilla.mozilla.org/show_bug.cgi?id=363372

    Far too many people when faced with a “sign up” form on new sites repeatedly use the same guessable passwords in the absence of this simple mechanism.

  36. Wladimir Palant wrote on ::

    Dan, what will happen if the website generates a click event on that button? Will the website be able to log in the user at will? If you didn’t already – please make sure that only trusted events are accepted there. Unfortunately, it doesn’t quite solve the problem – since that button is put into the webpage and can be manipulated by the webpage, the webpage can make it transparent and move it under the mouse pointer, just to make sure that you will click it when you eventually click something on the page. That is somewhat concerning – in case you want to browse a site anonymously, and especially in the case that the website has been XSS’ed and tries to steal your login data.

  37. David Naylor wrote on ::

    This is just super-cool and something that *everyone* has been waiting for unknowingly. I don’t know why it hasn’t already been done!

  38. thunder wrote on :

    Matt & Rockridge,

    Thanks! I’m really glad you guys like the feature.

    As for inclusion into Firefox.next, it remains to be seen, but it’s possible we’ll bake it in, or at least take what we learn from this experiment and use that to inform what we do.

    About the uppercase bug with openid, yikes! We’ll take a look at it, if you could file a bugzilla bug that will make sure we don’t forget :)

  39. Rockridge wrote on :

    I’ve tried the latest Weave(0.3.2) a bit. Logging-in automatically is really a great feature. I’m excited about it. But it does not work well with Open ID.

    It seems like Weave sends Open ID to a server all as small letters. But for example, the first letter of my Weave account is a capital letter. This difference is the cause IMO.

    I’d be glad if you fix it ASAP.

  40. Matt Wilkinson wrote on ::

    Hey Dan, excellent video! I absolutely love what you’re outlining here because it’s yet another feature that I thought would fit perfectly into the next generation of Firefox. You guys read my mind and it’s delightful. I’ve been longing to streamline and simplify my identity experience on the web for a long time.

    I’m assuming since Weave is independent of the mainstream Firefox releases, we won’t see this until after v3.5 is released. Speaking of that, do you plan to integrate Weave as a baked-in feature for Firefox.next? In other words, as part of the core product and not an extension?

    Keep up the good work.

    -Matt