Very nice! I can’t wait to see where this goes because I hate logging into almost every single site that I visit.

@Lennie – linking this with your Weave ID is one potential future that we’ve talked about. We’re still at the very early, exploratory stage of the browser playing an active role in managing your identity.

How about something that involves client certs? I’d love to have these seldom-used gems more readily available and easy to use. It would let people manage multiple identities as they wished, etc.

I got another one that sums it down: Your data is too important to be owned by any one company.

Good interfaces guys, very intuitive, but still far away from a sustainable solution, which i believe is in extension to the infrastructure. I am playing with it, I’ll announce it when in alpha. Till then watching this closely!

Great stuff guys!

Some quick notes:

-Making the user’s identity first in the location bar seems to map really well to the fact many URLs are really universal since they require the user to be logged with the same account in order to view the same content

-I really like how we are visually grouping the user’s identity and the site identity, which quickly displays an obvious representation of “you are giving your personal information to this site”

Notes on a few variations in my early mockup:

-I tried to highlight the notion of “you are giving your personal information to this site” with a visual reference of injection, the personal identity box is literally pushing into the site identity box.

-We need to be careful with how we interact with the DV/EV color scheme

-Since we’ve avoided using metallic to convey value for Site Identity (the old Firefox 2 gold bar), this is now available for conveying personal identity. This also seems to work well since we obviously want users to value their personal information (and valuable things are shiny).

-I’ve placed the personal identity and site identity grouping into the field instead of capped onto the end of the field since we are likely going to try to use “browser chrome level” items in the breadcrumbs trail for linking directly to browser chrome pages (like a bookmarks page), while the site information is content level.

-Aza’s use of language instead of icons “log in” is easier on first use, but I’m worried about it detracting from the messaging of the site identity in the long term. So I’m not really sure if iconic representation or language is best for these actions.

Wow. Thank you Aza. Thank you so much. I have been talking about how this needs to happen for a couple of years now and it’s so wonderful to see it coming to life. It would seem that the days are numbered for login pages and a variety of share buttons online. I think that the next iteration is to solve for family computing. How to solve for multiple users without having multiple user accounts on the computer. Can a family use the same browser and benefit from personalization?
I have been waiting for the day when login would move to the browser. This will lead the way towards customization across brands and help users to carry preferences, favorites and histories across the web.
Again, thank you.

There are some paradoxes to consider when doing identity in the browser (or in a single-sign on system like openid.)

1) Make something easy to do, and it gets done more often. Make login be one click, and every site will have a login, whether it needs it or not. Think about the magstripe on your driver’s licence. It has good ease of use. Is it a positive feature that now anybody can read all your data in a swipe and you have no reason to say no?

2) Giving the user choice may take away their ability to negotiate. Contracts (such as the click to agree contracts done on account creation) are not really negotiated when it’s take it or leave it between unequal partners.

That said, I do have some identity in the browser proposals but they are quite different, and move away from the “login” model which tracks all you do to a more stateless “authenticated actions” model where you perform actions (like posting comments on a blog) with an identity, but still with one click.

Consider:
http://ideas.4brad.com/authenticated-actions-alternative-login

But also look at my “openid” tag http://ideas.4brad.com/tags/openid and my privacy topic for more details on this.

(continued…)

To address 3 (verified single identity), you need either an authority which you check in with each time, or crypto. Please add crypto. Allow the user to either generate or use an existing public-private key pair for each identity. If the user clicks “(always) log on”, expose a javascript method that lets the site perform the appropriate crypto “yes it’s really me” handshake. Most sites won’t use it at first, but the few that do will love you forever.

You’re going to make a javascript function that I can call to have the login box pop up on top of the browser chrome. This will become annoying, and many sites will abuse it. If it opens up, and I misclick – well, now the site has my personal info. Oops. It will also become annoying to see “sign up” in the URL bar on every site I go to. I don’t want to sign up for or log in to 100 blogs. Find a way to minimize this. It looks great because I’m imagining that it’ll be there for when I want to sign up – I’ll be saved the usual horrors! But I’ll also see it when I don’t care at all about signing up, which is bad.

(While we’re on the subject: I use a proxy. Add this info in the bar as well, since I often am annoyed by having to turn the proxy on and off: [proxyname>me@>Yahoo> http://yahoo.com.)

This looks brilliant, if a slightly unexpected aspect of navigation to factor into the browser chrome. I suppose it was only a matter of time. I’d like to see a separation of identity and friends network, as while the two go hand in hand with a lot of the identity providers at the moment, there’s no fundamental connection between the two, and it’d be a shame for the potential programmatic weight of friends functionality to impede the fantastic benefits of identity functionality.

Oh, and:

Putting verbs into the navigation bar isn’t new

That’s true, but can you make sure at the proofreading stage that you’re consistently using verbs and not nouns in place of verbs?

It looks like you’ve got the verb “log in” fine up there into the browser chrome, but then someone’s added a comment to design saying “Via Weave, you can login [sic] to the entire browser.” I don’t mind specific site designers being illiterate, but I’d hate to have to stare at a spelling mistake every time I open my browser.

“Login” is a noun. “Log in” is a verb, which is why we talk of “logging in” rather than “loginning”. I appreciate we have Anglo-Saxon roots but let’s not actually turn the language back into German without doing so for a good reason; say, something to do with getting free beers during Oktoberfest. That’d be a good reason.

There are many interesting aspects in this concept, and I think that’s were we NEED to go in order to improve the web.

Some points:
1.
Is a “login” feature really needed? I mean, once I’ve accepted to use that service I think that it should automatically link to it every time I visit it.
We should probably try to forget about the “login” idea. Yes, it’s similar to the “connect” idea.
To handle “anonymous” browsing we already have a good concept: the “stealth browsing session/window”. I think that anonymous navigation could use that UX flow.

2.
Even if we stick with “login” I think that the “Sugn Up” part should be avoided. It’s about identity: I can transmit my identity (after an initial handshake), or I could avoid it. There isn’t any registration involved: the first time I *agree* to transmit my personal data, it automatically register (and, the system could provide me hints and aids to support my navigation).
So: I will kill “Sign Up”.

3.
You’ve added a phishing warning to the “Sign Up” feature. Nice, but if you agree with me that once identified you should be always identified, I will be warned if I noticed that I’m not anymore logged in (and I’m not in “stealth” navigation).

4.
Converging again to an “Identity” solution against a “Login” solution: I think that the browser should handle my identity in a central point (where I could enable or disable it with one click).
There, I could use Profile 1, with my personal Gmail account and my personal Yahoo account, or Profile 2, with my work email and my Basecamp work account.
In synthesis: don’t think about “Logins” think about “Identities”. :)

I like the idea of this, however, at least in Windows OS’s, there seems to be an overlap with CardSpace. Essentially CardSpace allows you to maintain your identity at the OS level. Granted, CardSpace isn’t being used anywhere of note, but would you try to develop some integration there?

This is a manual pingback for the blog entry in which I respond to this:
http://nathanhammond.com/identity-management

Aza, please tell me why the mac version of Firefox have changed the standard and more convenient shortcuts. I’m talking about the Command + 1 … 2 … 3

In the Safari and other browsers are used to open links from the bookmarks bar. But the biggest argument is that the way we fall into precisely this kind of behavior. Habit – a major asset in the interfaces.

You plan to revert this shortcuts back or add the possibility of change in the browser settings? Please…

great concept!

I find the project really interesting. I have an account in a lot of sites, sometimes sites I was going to use just once. Over time, we tend to change our user names and passwords and we forget to change every log in information we have, when the time comes. After a while, when you need to return to some site you don’t even remember what your user name was… Besides, we tend to use the same info in every site, creating a security issue. There’s a lot of future in this project and I’ll be sure using it!

Identity on the internet is a tough thing. I would never want to dictate it, because there are such fine lines with digital communities. With that in mind, it would be cool to think about creating a way for the user to “own” that space a little bit. Drag and drop some of the links, features, users, etc. that matter to them. Because ultimately identity isn’t just about who I say I am, but more about who I interact with and what I do.
(Just some half-formed thoughts)

It would be great to see you extending support information cards. A browser with a built in I-Card selector that works across all platforms will be extremely useful and enable secure identity online services linked to claims. Audit I-Cards would significantly raise the bar in the anti-phishing stakes. The US Gov and UK Gov are interested in them for online services and their OASIS and NIST have accredited them. We have I-Card desktop selectors,iphone selectors, a cloud selector but what is missing is a built in browser selector….

After reading about Google’s “opt out” customized search results, I think that “identitiy management” should also include a way of having multiple identities with fully separate history, cookies etc, directly in the browser.

Have to say I had to go back and look at this today. I think your identity should be separate from the browser but your identity should be in a key just like a car. The browser should be a car in clothing form. Your id should be the a secure piece of separate technology that has to be put into the browser for you to go anywhere. Then you will be recognized by whole package.
So I think what I am saying is individual identity needs to be a new security software separate ..having said that..the browser identity build should try to be designing an “ignition” to fit various keys of identity. may seem complicated…but I think I am just saying that ignition should be flexible to need that ignition if user so chooses. does that make sense?

anyway had to return to this after thinking about it for a few weeks (as we are working on living room transmedia interoperability and this is ringing through my head with it)

Hey,

Thank you for this, I will certainly look in to getting involved with this. Something very much alike of what you are talking about here is something I wanted to explore.

I will get in contact, find out some more information and post what I already have here. Will read this here again tomorrow, I am to tired now, most things will go past my mind. I even almost missed; ‘Get involved here.’

Good idea!
Even just for computer for the whole family… We don’t change session every time we change users… and changing the identity in one click is a good solution… just in order to check mails, and gets his personal favorite

what will happen if the website generates a click event on that button? Will the website be able to log in the user at will? If you didn’t already – please make sure that only trusted events are accepted there. Unfortunately, it doesn’t quite solve the problem – since that button is put into the webpage and can be manipulated by the webpage, the webpage can make it transparent and move it under the mouse pointer, just to make sure that you will click it when you eventually click something on the page. That is somewhat concerning – in case you want to browse a site anonymously, and especially in the case that the website has been XSS’ed and tries to steal your login data.

Sorry I don’t have any tech input to share — I’m just a dumb surfer; but this is an excellent idea. I would use such a feature on my browser the second it became available for download. Yahoo Messenger has a list of identities that can be used for instant messaging; however, the notion of one “central” bank of identities (not that I use more than a couple. . .) makes sense, adds security, and protects what little privacy we imagine we have left.

tebrik ederim

Weldone…

Hi brad;
“Just a note… I posted a comment some time ago with thoughts on identity in the browser and it still sits awaiting moderation, while many comments after it have been cleared. Wanted to check if you saw it.”

i dont understand?

The technical roadmap behind the links also looks really smart. The insight that what’s making Facebook Connect so popular is that the browser can recognize a mechanism and respond to it is brilliant. I agree that the user should be in full control of that transaction, and not have to farm it out to a third party site like Facebook. This has real potential to – through disintermediation and repatriation to the browser – put the power and ownership back in users’ hands.

Good article. Thanks.