The assertions I make in this post are for my own consumption. I’m not an expert; and what I say may be wrong.
Points To Consider
- For BrowserID email address equals identity.
- For OpenID email address is not the primary string which identifies a user. OpenID has some kind of URL thingy which has to be registered at an identity provider.
- BrowserID doesn’t notify the identity provider every time an identity is being used to log into a website. Therefore, there is more user privacy.
- There are three phases which BrowserID handles. The one time user registration with BrowserID. The handshake with BrowserID when the user clicks the login button (correlates user with email). And the final handshake where BrowserID will check cryptographic credentials in the users browser to verify he/she owns that email address.
- With BrowserID sites get proof of ownership using public key cryptography—but don’t worry, BrowserID has a verification service so I can do this without writing a single line of crypto code.
- BrowserID can and will be integrated into the browser so user won’t have to fill out a login form in a pop-up window. That has not and may not get done with OpenID.
- BrowserID was created by Mozilla.
- BrowserID may not get adopted by websites as their authentication system.
- OpenID has been around longer and has been adopted by many websites.
Why I prefer BrowserID
- Good documentation
- Easy to implement for developer. Mozilla tells you how to do it.
- BrowserID has scaffolding to tide it over until it becomes fully implemented.
- Good (easy) user experience
- Easy for user to switch identity providers (email address providers).
- Robust implementation by Mozilla.
- User Privacy
- Cost free
- I trust Mozilla