Account Manager

Havi Hoffman

26

Connect as a first class action in the browser

Today’s Web is highly personalized. If you take a look at a lot of today’s top Web sites, you’d be hard-pressed to find one that doesn’t allow some sort of personalized experience. From posting photos to customizing your homepage to your banking, your online identity is an important piece of the Web experience.

The experience of signing up and connecting to sites, however, is stuck in time: Consider that the way that we use usernames and passwords to log on to most web sites hasn’t changed in more than a decade, even while the number of unique businesses and services that we use online has increased dramatically.

Even new technologies such as OpenID still require a similar (and sometimes even more confusing) experience. Browsers have evolved slightly to try to cope with the situation by remembering usernames and passwords, but browsers are currently unable to do much more, because so much of the process is different for each site.

What we are doing

identity-concept-series
As part of the Mozilla Labs Concept Series, we’re actively exploring new approaches to online identity management in the browser. We envision a world where your browser will play an even more active and critical role in helping you control and shape your online experience. Read more about Mozilla Labs’ online identity concepts.

This prototype, which we are calling Account Manager, is an effort to dramatically simplify how users connect to sites. We plan to achieve this by adding the ability for the browser to intelligently act on your behalf.

Here’s a very early mock-up of what you might expect in the future:

Account Manager mockup

The Account Manager prototype consists of two pieces:

  • A proposed specification for browsers to discover web site capabilities (e.g. sign in, sign out, create account, etc.), exposing connected state to the user (e.g. are you signed in?)
  • A Firefox add-on that implements a sub-set of this specification, providing common UI for connecting and disconnecting to sites

Our add-on additionally has hard-coded support for a few major sites, such as Google and Yahoo!, so that users can get a feel for how the feature might work in the browser.

Try it out!

There is an experimental, alpha version of the addon available for download.

Please be aware that this experimental code. If you are not comfortable with running software that can crash your browser, or potentially cause you to lose your work, you may want to wait.

Since the Account Manager add-on proposes a new way for sites to interact with the browser, Account Management support is limited to the few sites that support it. The goal at this stage is to refine the design and the protocol itself, so we are most interested in feedback from site administrators.

Dig deeper

As with all Mozilla projects, Account Manager is developed in the open, and we welcome participation from everyone.

Hack on the project sources.
Read a draft of our proposed specification.
Read the project wiki.
Discuss on our forums.

26 responses

  1. tequixote wrote on :

    I'm impressed, as well as surprised how few people get the point. The idea that a website–say, a new shopping website, CutePinkStuff–could let Firefox know that the user is currently not signed in, that users may be signed in or signed out, and which method of authentication CutePinkStuff requires for sign-in (user/password over SSL perhaps?), thus enabling Firefox to take care of all that by itself such that the user never has to think about it except to permit Firefox to register/sign him in… there is so much potential in a spec like that. I'm pretty fuzzy on implementation details until I read further, but so far, I'm liking the idea. Don't let the "what's the point? isn't this done already?" negativity get you down, keep up the good work!

  2. Waleed Eissa wrote on ::

    How is this different from Information Cards? Microsoft already implemented it (CardSpace) in Windows. Are there specific reasons why Mozilla decided to come up with something new instead of implementing information cards? (esp. that I heard it's currently being standardized).

    Also, is this going to handle the case when a website needs to send notifications to a user? There are a lot of cases when a website needs to notify the user of an event (for example when a user receives a message from another user) which is why many websites ask for the email address of the user and also ask them to verify it (which is quite annoying to most users). I came across so many websites on the internet that allow users to sign in using an identity provider (like facebook, twitter, google, openid .. etc — esp. using services like RPX and gigya), then ask the user to enter their email address after they sign in with the identity provider, which makes the whole thing useless.

    The whole point of all this is to avoid having to register at every website. I mean, if the website won't get the information it requires to provide its service, and the user will be asked to provide additional information, then what's the point in using this feature in the first place?

    I have checked the proposed specification draft but I didn't find anything about this (I haven't read the whole specification, so hopefully I didn't miss anything). Are there any plans to support this case in the specification esp. that it's extremely common on a lot of websites?

    Thanks,
    Wal

  3. Frank J. wrote on :

    Hi,
    it would be nice if there could be an option (or another extension)
    for the users so they can create login mechanisms for pages that dont
    support the account manager.
    They could be shared like stylish-scripts or greasemonkey-scripts.
    I know a lot of sites that are not going to support the login script
    but it would be easy to create a login scipt by myself and share it
    with others.
    This would be really useful.

  4. cesar wrote on :

    this work only for firefox in windows???… beacause i installed in FF 3.6.3 in ubuntu 9.10 and i dont see the key icon!

  5. nobby wrote on :

    What can this thing do what my beloved 1Password can not do at least equally good?

    1. mozilla_labs wrote on ::

      With this project, we are proposing a standard scheme for websites to advertise their login/logout and registration mechanisms in a machine-readable way. Any password management system (including 1Password) has to do some work to make it work with each site; we are creating an incentive to make this part of the web infrastructure so that your password management solution can work everywhere.

      Our goal is also to create a standard user experience for all ways of "connecting" to a website, to enable the smooth rollout of systems other than password systems. Federated login systems like OpenID, or certificate based systems, could also use the infrastructure we describe.

  6. Ahriman wrote on ::

    I love this extensiones, please continue the development and add to Firefox 4 :D

  7. Charlie O'Keefe wrote on :

    ps
    I'll elaborate on this statement from my post above: "It [kerberos] is more secure than any other password-based HTTP authentication documented in any RFC that I know of."

    There is also SRP: http://www.ietf.org/rfc/rfc2945.txt

    …but I don't know of any defined way to use SRP with HTTP.

    Probably the ideal solution would be some hybrid of SRP and Kerberos that incorporates SRP's strong mutual authentication with Kerberos' system of service tickets, requires no storage of any user-key-equivalents on the server, and cuts the HTTP authentication handshake down to the minimum possible number of steps. One can dream…

    1. mozilla_labs wrote on ::

      Hi, Charlie – the one way of using SRP with HTTP is through HTTPS with SRP-TLS, as defined by RFC5054. Our hope is that by simplifying and unifying the user experience of connecting to a site, we can enable the graceful rollout of improved authentication technologies like these.

  8. Charlie O'Keefe wrote on :

    I'd love to see a nice friendly (and phishproof) interface like this on top of SPNEGO Kerberos authentication. This is already a widely used HTTP authentication method. It is more secure than any other password-based HTTP authentication documented in any RFC that I know of. The RFC is here: http://www.faqs.org/rfcs/rfc4559.html

    It is supported in browsers going back to, and including, IE6: http://msdn.microsoft.com/en-us/library/ms995329….

    This won't be as easy to implement as what most consumer websites are doing currently, but then again, most of those websites are sending passwords and sensitive session cookies around in the clear (unless they pay for a CA-signed certificate and use SSL encryption).

    Anyone already using Kerberos, which is free software actively maintained by MIT, would be able to use this method. This includes the huge install base of large organizations using Active Directory (which uses Kerberos under the hood).

    The Kerberos Consortium has, in fact, already put quite a bit of work into enabling exactly this kind of account manager, and created an API for the express purpose of building one: http://www.kerberos.org/events/Board-12-11-07/4-E

    There are a number of worthy authentication protocols that a browser could support in the way you're describing in this article. More than one should be supported. There are good technical reasons for each. For example, the type of authentication factor makes a difference (eg password, "something you know" vs certificate, "something you have").

    I urge you to consider kerberos as a protocol worthy of building on for the account manager.

  9. Borsuk wrote on :

    Recently I discovered KeePass and I am amazed by its capabilities for easy signing into websites. Maybe some of its functionality could be integrated into Firefox.

  10. Raquel Umerez wrote on :

    ….CONGRATULATIONS !!!

  11. Dan Mills wrote on ::

    sabret00the,

    The prototype only works on a few sites, that is correct. We have talked to some of the big players about supporting this, but a big part of this release is to get wider feedback from site administrators on whether this is something they might support (or not).

    As for vulnerabilities, we have been in contact with our security team, as well as other sites. So far, we see nothing in this spec that would increase risk to users. In fact, it greatly decreases some kinds of risk (e.g., from phishing attacks).

  12. sabret00the wrote on :

    Also, there’s a question-mark over whether or not this makes all sites involved vulnerable in the same manner?

  13. tmaciak wrote on :

    I understand that new approach will give better result, but as it needs changing of sites it will probably never works for all sites and will take long time to gain any popularity.

    And in meantime this add-on will be barely usable so again, there will be no gain for developers for adding new approach to their sites.

    I can say, that it’s your problem, but I like Firefox (I use form around version ~0.3) so I would like it to be better browser :)

    Anyway, I did not removed Account Manger, just installed additionally Secure Login to keep “old” functionality and will look on your progress.

  14. sabret00the wrote on :

    Thus far you only appear to have three sites which use this and a horrible interface. I like what the mockup does but in it’s current iteration, it borders on pointless, it needs that awesomebar integration sooner-rather-than-later.

    How far have you guys got in regards to proposing this new standard? I noticed the Google search page recognises this but the Groups don’t. Has this been proposed to the likes of Digg and Slashdot? How about the likes of vBulletin, Invision Power Services and phpBB?

  15. Dan Mills wrote on ::

    @tmaciak, the functionality in 0.0.2 is entirely heuristic. It uses the Firefox password manager to look for “username” and “password” fields, and automatically fills in forms.

    With the current account manager we are taking a wholly different approach: we are asking web developers to change their sites, to tell the browser how to sign in, register, query account status, etc.

    We believe that we can make a much more compelling experience than we would’ve been able to with the password manager heuristics–0.0.2 was about the best UX possible with that model, whereas with the new model we have barely even scratched the surface of what is possible.

    Check out our use cases to see what we are aiming to do:

    https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager#Use_Cases

  16. Dan Mills wrote on ::

    @keithy397, the difference is that we are proposing a specification that websites can support, making the experience more robust and well-supported.

    The specification we are proposing has much more functionality than just logging in. For example, it also has account registration, as well as the ability to query and change account information.

  17. Archaeopteryx wrote on :

    Would be nice if Firefox could manage to be logged in in two different tabs with two different accounts into the same page.

  18. rehot wrote on :

    try LastPass.
    it does exactly as you think:
    you’ll never type a password after you’ve installed it!
    it’s available on all browsers, and via online interface.

  19. Natanael L wrote on ::

    Message shown when clicking the key on Mozilla Addons: “Signed in as Välkommen, [my first name]” (partially Swedish (from the site?)).

  20. Natanael L wrote on ::

    @Keithy: Full Firefox integration and official status?
    I hope that this will work great!
    I’ve tried addons like Appalachian (OpenID manager for FF2.0) and other password managers, but I don’t use any of them now.

    Please, make it great!

  21. tmaciak wrote on :

    Thanks for pointing to Secure Login add-on. As Account Manager became unusable, I was thinking to revert back to 0.0.2 but I give Secure Login a try.

    So for me, question is when Account Manger will have back functionality from 0.0.2, when it worked virtually for all sites?

  22. keithy397 wrote on :

    What’s the difference between Mozilla’s Account Manager and the Secure Log-in extension that I’ve been using for years safely and successfully on all sites? Secure Log-In also facilitates multiple accounts/User Names – GMail for example.

  23. Faust wrote on :

    Sounds like a possible security nightmare.

  24. Jhonny wrote on :

    Not compatible with version 3.7a3pre