Mozilla has only begun to explore identity management from a perspective that would put the user at the center
The company adopted a unique approach in designing the FirefoxOS and Apps security model
"ON THE Internet, nobody knows you're a dog."
Remember that adage? It began life as the caption of a cartoon by Peter Steiner published by The New Yorker on July 5, 1993. Over 19 years later, the possibility of dogs lurking online remains, but these days they just feature heavily in YouTube videos, along with all the cats.
The era of anonymity may soon be over, driven by platforms such as Facebook and Google, which see economic value in merging online and offline identities for advertising purposes and, in the case of YouTube, also to clean up comments sections.
As more and more data about people’s identities are collected and collated in servers around the world, questions about privacy, identity management and use of personal identity data have come to the forefront.
For one company, its approach to privacy and identity comes in the form of an online identity management system called Persona, which seeks to consolidate the multiple passwords users collect during the course of their digital lives.
Mozilla Corporation recently released the public beta of Persona, intended to offer users a secure alternative to creating and managing multiple passwords and providing developers a way to support multiple authentication methods on their sites.
The system is also touted to offer better privacy as it doesn’t track the activity of its users across the Web.
In a blog post entitled Contextual Identity, Lucas Adamski (pic), Mozilla Corporation’s director of Security Engineering asked: "What if privacy is really just an aspect of identity? … The ideal solution would be locally managed on the user’s system, but securely synchronized seamlessly to your devices."
He believes that Mozilla is laying the groundwork for this direction; however the initial focus of Persona is on "standing up as a secure and reliable identity service."
“That said, a user today can use multiple accounts with Persona to implement parts of the contextual identity model. You could use one for banking, another for public forums and another for work,” said Adamski in an email interview with Digital News Asia.
“I feel like we have only begun to explore identity management from a perspective that would put the user at the center. We are currently laying the foundation for such a model,” he added.
According to Adamski, a user should be able to define an identity for a given context, which is then comprehensively enforced by the browser. This would include partitioning of cookies and any other client-side persisted data on a per-identity basis, and the ability to flush all related data on a per-identity basis.
One differentiator for Persona is that it doesn't require users' real names and allows users to keep their work, home, school, and other identities separate.
When asked why Mozilla did not follow in the same vein as platforms such as Facebook and Google+, Adamski said the company believes in a model that should only require the user to disclose the minimal necessary information to set up an account.
“In our case, that is currently a valid email address. The only assertion we currently make to sites that implement a Persona login is that the given user has access to the corresponding account email address,” he said.
The system has been criticized for having a single point of failure, namely the Persona password. Mozilla has been working on strengthening this, with a session protection mechanism to limit the security risks, and is looking at implementing two-factor authentication.
Adamski said that other security measures could include using SMS for the verification of password changes or the use of IP locking for more sensitive services or identities.
“There are definitely other approaches we could take, but each comes with its pros and cons from a privacy and accessibility standpoint. We are still researching various options,” he said.
With Persona still in its early stages, Adamski will be speaking about the Firefox operating system and the apps security model when he takes to the stage at Malaysia’s premier cyber-security event, HITBSecConf this week at the InterContinental Hotel, Kuala Lumpur from Oct 8-11.
“We have taken a unique approach to designing the FirefoxOS and Apps security model, which was done in an open and collaborative environment. In doing so, we had the opportunity for a number of very talented external security researchers to participate from the very beginning,” he said.