Web Authentication: The next step in the evolving identity eco-system?

Currently, the identity eco-system on the Web is fragmented between a number of different flows for authorization with no standardized high-security authentication mechanism outside of usernames-passwords. Current identity solutions such as OpenID Connect and BrowserID are on an abstract level just two different authorization flows that differ across a number of criteria such as privacy. We also detail a number of well-known attacks against each approach. So the “client offline/server-to-server” authorization flow of the OAuth-based approach (OpenID Connect) is actually complemented by the “online client-to-server” authorization flow from BrowserID, each being more or less effective depending on the particular use-case at hand. Finally, we sketch how combining either of these flows with the upcoming W3C Web Cryptography API for public key-based authentication in the browser will allow for a cross-platform ‘Web Authentication’ that gives users the best of both worlds. Keywords-authentication, authorization, identity, BrowserID; OAuth; OpenID; WebAuth