The current state of identity on the Web is not so great.
Much of the ongoing discussion and efforts around user identity on the Web focuses on tying identities to new or existing networks and using various protocols for federating it. User experience in general suffers as protocols for federation (e.g. OpenID) involve complex redirects which jump the user from page to page and leave them open to phishing attacks–not to mention other “ajax” methods which are even worse from a security standpoint.
So last week the Weave team took advantage of the Mozilla all-hands, and decided to sprint on the Weave Identity component to open it up to the Web. After only a few days of hacking we came up with some very exciting stuff to share!
Our sprint changes the browser to provide single-click login to sites with saved passwords as well as sites that support a federated identity (OpenID in this case). It also provides the option to automatically sign in when the page is loaded, essentially providing a single-sign-on-like experience regardless of the login method being used. In the case of OpenID, we intercept the login procedure and, taking advantage of the fact that you’re already logged into your browser, and then use Weave identity to let you into the site.
Something that often goes unsaid in the discussion about online identity is that while most websites right now require usernames and passwords, many people actually use the password manager feature in the browser–effectively turning their browser into a limited identity manager. So one of the things we can and should be looking at is how to improve the existing identity manager to better serve our users’ needs.
In this context, Weave Sync already improves it by synchronizing your login information across devices–so when I use Fennec I don’t need to type in my login information, because they get pulled down from the cloud. But we can go further, in two ways:
First, the Weave framework includes an identity component which is currently used exclusively for Weave Sync. What happens when we integrate it with the browser and open it up to content?
Second, part of the appeal of federated identity management is about single sign-on and automated provisioning. Can we improve the user experience of the current system to provide some of those features?
Part of the guiding force here is that we think that regardless of the inner mechanism (a federated identity, a simple username and password, or something else), in the end the action of logging in is essentially the same. Therefore, as the browser we should try to provide a similar experience, regardless of the method being used. As the user’s agent we should also strive to act on the user’s behalf when possible, and we believe this is one of those cases.
Keep in mind that this is just a prototype that we hacked together in a few of days, so there are some very rough edges. But we’re super excited about the possibilities already. When demoing it to people, they said things like “whoa! how did you do that?” and “I want this! How do I get it?”
The answer is, “soon”, or if you’re brave/impatient enough you can try it out right now by installing the latest Weave development snapshot. Please let us know what you think by posting on the Weave forum!
— Dan Mills, on behalf of the Weave development team