Forgot your password?
typodupeerror
Microsoft Privacy

Passport to Nowhere 361

Posted by michael
from the where-did-you-want-to-go-yesterday dept.
prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."
This discussion has been archived. No new comments can be posted.

Passport to Nowhere

Comments Filter:
  • by Liselle (684663) * <{ten.ellesil} {ta} {todhsals}> on Tuesday March 23, 2004 @04:41PM (#8648719) Journal
    "Microsoft was kind of pushing Passport for a problem that didn't exist..."

    I think that more or less hits the nail on the head. This is aside from the downtime issue, which is embarassing, and privacy issues, which are disturbing. On the privacy/downtime note, the Liberty Alliance may be vapor currently, but the idea of a "federated" system sounds much better to me. It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.

    No sir, that's bad sauce.
    • by michael path (94586) * on Tuesday March 23, 2004 @04:48PM (#8648796) Homepage Journal
      I had that quote cited and ready to post as well.

      It's still not an issue that exists today. However, I'm an avid user of Paypal because it's more convenient to pay with my username and password submitted only to Paypal's server, and let them return the "Success/Fail" of the payment to the vendor. It made eBay easier. It's easy to subscribe to Slashdot/OSDN using it. It's easier to subscribe to some porn sites using it.

      Granted, that's just the payment piece, and not the cetnralized repository of all my useful details - but significant just the same.

      Now, if Microsoft bought eBay (and thereby, Paypal), they'd have an existing solution they could extend to suit their needs.

      That said, the moment Microsoft buys eBay is the moment I evaluate auction alternatives.
    • by PacoTaco (577292) on Tuesday March 23, 2004 @04:59PM (#8648931)
      Microsoft wants to push the distributed web services model. Web services are much easier to manage with a centralized authentication system (rather than dealing with many separate passwords/certificates per application). Whether something like Passport is right for end users is another question.
      • by Sigma 7 (266129) on Tuesday March 23, 2004 @05:28PM (#8649213)
        Whether something like Passport is right for end users is another question.
        While I'm not speaking for everybody, I'm sure there's a large group of people that always hate having to register for every individual website for the sole purpose of posting a single comment. It's one of the many good reasons why Usenet is still around. It's also the same reason why Gamespy's Forumplanet is keeping so many users in spite of having a poor forum interface.

        Multiple logins aren't better either. Given the sheer quantity of internet forums, a user will eventaully give up on creating new username/password combinations that they will simply recycle them (a big security risk right there.)
        • a user will eventaully give up on creating new username/password combinations that they will simply recycle them (a big security risk right there.)

          How is this any more or less of a security risk than having a single sign-on in the first place? ( Assuming equal security of the account storage, I guess. )

          Recycling l/p pairs can lead to 1 -> Several account compromises - single signons can lead to 1 -> All.

          YLFI
      • by Mr. Piddle (567882) on Tuesday March 23, 2004 @06:33PM (#8649942)
        Web services are much easier to manage with a centralized authentication system (rather than dealing with many separate passwords/certificates per application).

        While true in theory, I still agree that there really isn't a problem to solve, at least not with the amount of technology in Passport.

        For example, having accounts on multiple sites isn't a big problem at all. As far as security goes, I set up username/password choices in tiers. Many non-essential sites get a standard username and password (a non-dictionary hard-to-guess password at that). E-mail gets an entirely different password for better compartmentalization. My home computer gets yet another password.

        With three or four levels of compartmentalization, password management isn't something I lose sleep over. Also, I'd much rather each site have its own account information, so there's little chance that one site could figure out what other sites I visit.

        • For example, having accounts on multiple sites isn't a big problem at all.

          The problem isn't remembering your passwords (you have local password managers for that, such as the one built into Mozilla, which are much more secure simply because your home PC would need to be compromised to even begin cracking at the password list... that is assuming you keep your home PC reasonably secure). The problem is signing up to all those sites. Each time you have to fill out a form, wait for an activation email, then ac

        • MS Passport is inherently insecure [avirubin.com] and cannot be made secure, even in theory. To claim otherwise would be false advertising [ftc.gov]. Not to mention that in the terms of service you hand over any privacy you once had, see the FTC link above again for an example of abuse.

          I'd be especially wary of sites locked into ASP or .NET, not just for the inherent security problems. PayPal, for example,. is at potential risk, as it is owned by eBay. But read the changes to HotMail or other similarly MS-Passport encumbered s

    • by js3 (319268)
      That's debatable. I don't know anyone who fancies remembering a bunch of passwords for every site he signs up for. I even have a password manager on my usb flash drive because I can't keep up with password. I could use one password for everything but that's insecure too.

      So far I've used the Passport on two sites, mcafees online antivirus subscription site and radioshack.ca whenever I order something
    • by Otter (3800) on Tuesday March 23, 2004 @05:02PM (#8648970) Journal
      "Microsoft was kind of pushing Passport for a problem that didn't exist..."

      I wouldn't say the problem doesn't exist -- every time a link takes me to an article at the LA Times, Chicago Sun, Telegraph or any other paper that requires me to remember some crazy new userid or to go through a lengthy registration process, there's a problem, usually solved by my deciding it's not worth it. Or bidding on eBay from the library, or...

      As you say, a central repository seems like a bad solution but I'd really love to have a good one. (And, no, my having to carry everything around on a memory stick is not a good answer. For one thing, you can't just mount them anywhere.)

      • by TrentL (761772) on Tuesday March 23, 2004 @05:09PM (#8649038) Homepage
        I just use a dummy password for all those newspapers anyway. I let the browser remember it.

        Oh, and I'm not a 65-year old CEO living in Ethiopia, but don't tell that to the Washington Post [washingtonpost.com].
        • by Otter (3800) on Tuesday March 23, 2004 @05:28PM (#8649216) Journal
          Both of you guys miss my point -- yeah, Mozilla and Konqueror remember my logins, on a single computer! They don't transfer between work and home and they certainly don't help me at a public terminal! Thus, Passport.
      • I wouldn't say the problem doesn't exist -- every time a link takes me to an article at the LA Times, Chicago Sun, Telegraph or any other paper that requires me to remember some crazy new userid or to go through a lengthy registration process, there's a problem, usually solved by my deciding it's not worth it.

        My browser, just like all the other browsers out there, has a nifty little feature which remembers my logins.

        If mozilla ever gets that roaming profile idea, then passport is completely useless.
    • by Jim_Maryland (718224) on Tuesday March 23, 2004 @05:30PM (#8649236)
      "Microsoft was kind of pushing Passport for a problem that didn't exist..."

      The problem of single sign on (SSO) does exist, particularly in the corporate world. Vendors implimenting Web Portals (MS SharePoint [microsoft.com], Sun Java System Portal Server [sun.com], BEA WebLogic Portal [bea.com], Vignette Portal [vignette.com], etc...) have a particular interest in SSO and identity management via Identity Services to present a single interface to various systems in an enterprise.

      My main problem with MS Passport is that it's Microsoft's version of a standard rather than a community standard. Applications can connect via MS's SDK [microsoft.com] rather than publishing the standard. Using Open LDAP [openldap.org], Sun's Identity Server [sun.com], etc... will generally follow open standards and have better compatibiltiy to other open source/standard applications.
    • I don't see how having your personal information stored on hundreds and even thousands of non-central repositories would be any better......

      I would feel much better with all my personal information being stored on MY machine, and having specific sites that I allow to access this information, then having my personal information stored everywhere on the net in databases, or to have passport like systems working together with site.

    • Well the IDEA was brilliant. However, there's a huge difference between thinking the idea and implementing it the was it's supposed to to be. I also think MS had the logic of implementation correctly, and a partially working .NET passport system (which personally I have never used beyond signing in to hotmail). There is a few reasons that Passport was *doomed* from the very beginning, and two come to mind right away:

      1) The venerable WEB is just not able to handle such complex task. It'll fall prey to hac
    • by Cecil (37810) on Tuesday March 23, 2004 @05:49PM (#8649479) Homepage
      I'd trust my personal information to Microsoft before I trusted it to Liberty Alliance. Founding member companies are:

      American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines and Vodafone.

      Perhaps it's just me, but it sure sounds like their marketers' wet dream.
  • Personally.. (Score:5, Insightful)

    by Caedar (635764) on Tuesday March 23, 2004 @04:43PM (#8648731)
    I never saw a need for .NET Passport in any way. Privacy issues aside, all Passport would achieve for the company using it is something they could already do with simpler, more secure, and less liable technologies already available to them.
    • Re:Personally.. (Score:2, Interesting)

      by Anonymous Coward
      Yes, and wallet services like Passport will eventually become moot if business merger mania continues. I mean, just imagine if Microsoft buys or is bought by a major credit-card issuer like MBNA. Then your credit card will be automatically connected with a PIN that allows you to shop on MS sites, no Passport needed.

      Sound far-fetched? Media companies are buying up content companies and vice versa... US consumer spending is 2/3 GDP and is floated on credit cards. It's only a matter of time before the credit
    • Re:Personally.. (Score:4, Interesting)

      by CdBee (742846) on Tuesday March 23, 2004 @05:10PM (#8649040)
      I used to use Passport to sign into eBay UK but it failed about every other time. I ended up abandoning that account and starting a new one due to the low reliability.

      I lost several good auctions thanks to that POS system!
      I suspect my experience wasn't atypical and has led to this.
  • Hmmm (Score:5, Funny)

    by Anonymous Crowhead (577505) on Tuesday March 23, 2004 @04:43PM (#8648733)
    Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime

    Yet they still buy windows...
    • Re:Hmmm (Score:3, Insightful)

      by MrPoopyPants (146504)
      Who buys windows? People buy computers, it comes with windows. Most people don't know any better.

      I know you were joking (at least that's what the moderation indicates) but I just don't see people flocking to the stores to get the latest copy of windows. Adoption of XP has been pretty slow (even though it's the best windows yet). People sit there with spyware, worms, memory leaks, and complete shit on their computers and don't even care. It's amazing what the average computer user will put up with.
  • by nother_nix_hacker (596961) on Tuesday March 23, 2004 @04:44PM (#8648740)
    Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime
    Sounds like a generic description of MS products.
  • by American AC in Paris (230456) * on Tuesday March 23, 2004 @04:44PM (#8648743) Homepage
    [.NET Passport is] competing heavily with open Liberty Alliance project, which so far has produced just large amount of PDF files

    ...by this logic, one could say that Halo is competing heavily with Duke Nukem Forever, or that Coca-Cola is competing heavily with Cola Turka [colaturka.com.tr]...

    I mean, doesn't "competing heavily" imply that there's, well, an active competition in the first place?

  • It is widely pulicized now how to manage passwords for a website -- it's as simple as using other Microsoft tools, and so in a way, passport puts itself out of business by competing poorly with other Microsoft products. Why would anyone not just use an NT auth login, ASP, or one of the myriad of other ways to do a sign-on. The only place I see passports now is places where Microsoft already had a majorly vested business interest. Passport should go right up there with Microsoft BOB , IMHO.
    • by jfengel (409917) on Tuesday March 23, 2004 @04:55PM (#8648888) Homepage Journal
      The problem isn't managing passwords for a web site. The problem is managing passwords for ALL web sites.

      How many accounts do you have, between eBay and paypal and Amazon and slashdot and ...? Do you use a different password for each one? Aren't you the least bit worried that the Slashdot editors will use your Slashdot password against your Amazon account?

      The idea of Single Sign-On is to put all of your eggs in one basket, then make sure it's a really good basket. Nobody trusts Microsoft to make that really good basket, but it doesn't mean that they're not trying to solve a real problem. It's a tricky one, because the trust factor is scary, and the stakes are very high.
      • by Jerf (17166) on Tuesday March 23, 2004 @05:17PM (#8649102) Journal
        The idea of Single Sign-On is to put all of your eggs in one basket, then make sure it's a really good basket. Nobody trusts Microsoft to make that really good basket, but it doesn't mean that they're not trying to solve a real problem. It's a tricky one, because the trust factor is scary, and the stakes are very high.

        The most recent Cryptogram [schneier.com] has a highly relevant comment on this issue:
        [Suppose t]here are 10 $100 piles, each secured by individual $200 security systems. They're all secure. There are another 10 $100 piles, each secured by individual $50 systems. They're all insecure.


        Clearly something must be done.

        One suggestion is to replace all the individual security systems by a single centralized system. The new system is much better than the ones being replaced; it's a $500 system.

        Unfortunately, the new system won't provide more security. Under the old systems, 10 piles of money could be stolen at a cost of $50 per pile; an attacker would realize a total profit of $500. Under the new system, we have 20 $100 piles all secured by a single $500 system. An attacker now has an incentive to break that more-secure system, since he can steal $2000 by spending $500 -- a profit of $1500.

        The problem is centralization. When individual security systems are combined in one centralized system, the incentive to break that new system is generally higher. Even though the centralized system may be harder to break than any of the individual systems, if it is easier to break than ALL of the individual systems, it may result in less security overall.

        There is a security benefit to decentralized security.
        • That assumes that you are going to go to an overall weaker system. Previously, you had $2000 total protected by $2500 worth of security. Afterwards, you have $2000 protected by $500 of security. Why did you cut out $2000 of security? Maybe that's the only option, but that is a big starting assumption.

          Another issue is that while the first 10 piles may each be protected by $200 worth of security, what if they are easier to compromise in bulk? They share a user right? Chances are, you simplify the syste
      • No, I'm more worried about someone getting onto my machine and stealing all the passwords I've got stored in cookies. If on the other hand, all my cookies got deleted, (HD crash, whatever), pretty much every site out there has a PW recovery/reset proceedure.
      • Isn't that what Gator does too?
  • Only used in hotmail (Score:5, Informative)

    by sapped (208174) <mstore1 @ y ahoo.com> on Tuesday March 23, 2004 @04:45PM (#8648753)
    I actually created a passport login to see how many places they would use it and if it would be beneficial. Thus far I have only seen it used with Hotmail and on the MSN site. Have any others seen it used on other non-Microsoft sites?
    • by tim_uk (123339)
      I've used Passport to sign into Ebay. It seems to work fine there.

      Tim
    • by Anonymous Coward
      Match.com
      Expedia.com (hasn't been a Microsoft product since 1999)
      Ebay.com
      Paypal.com

      There are a few others, but those are the ones that immediately come to mind.
    • I've seen it on one or two, but it was over a year ago, and I can't recall where they were.
    • Ebay has it where you can use it for sign-in (though I don't), and I have seen it on other sites for registration. I had to get a Passport for work, and I tried it at some of those places. One site I signed-in with Passport, and it still wanted me to fill out all of the registration information - not verify what was there, but actually fill it all in again.

      I guess it made me feel good to know they didn't just pass over my information, but made me immediately wonder what it was useful for.

      • by jlechem (613317)
        And all it manages to accomplish is people getting their accounts hacked. A hacker gets into a persons passport and voila they have access to eBay and start committing fraud in that persons name.
    • I've seen it available on Citibank's credit card member site... it's not required though. I just created my own login and used that instead.
    • by brucmack (572780)
      I don't know if they still do or not, but eBay used it at one point.
    • I needed to open a Passport account to get content on my Verizon phone.

      Once I did, it opened the doors to tons of content I didn't give a shit about. I just wanted to delete all the useless bookmarks they shove in there.
  • No thanks (Score:4, Insightful)

    by Orien (720204) on Tuesday March 23, 2004 @04:45PM (#8648757)
    I like the concept of passport, but I'm not going to get in bed with Microsoft to put it on my web servers. Besides, it has always seemed to me that doing a scheme like that would introduce so many more points of failure to your web system, that it wouldn't be worth the trouble. That's not to mention security. Somehow I just feel safer when I have to log in to each site separatly.
    • Re:No thanks (Score:5, Insightful)

      by AnotherBlackHat (265897) on Tuesday March 23, 2004 @05:08PM (#8649013) Homepage

      I like the concept of passport ...


      The entire concept is flawed from the get-go.

      If I wanted my passwords stored on a computer, then I might as well do away with them completely.

      But assuming I did want to to store my passwords on a computer, I'd want them on my computer.

      And if for some reason, I wanted to store them with a third party, I wouldn't want the storage to be a single sourced service.

      And if was willing to accept a single sourced service, I still wouldn't want that source to be Microsoft.

      And assuming you get past all of the above, you still need to convince the vendor that it's good for them too - and you'll need to convince a lot of them to make it worth while.

      -- this is not a .sig
  • by Brigadier (12956) on Tuesday March 23, 2004 @04:45PM (#8648763)


    I am an Architect and I was pretty happy to see Sweets (the product catalogue) uses msn passport as their logon service. I have to admit it was convenient as there are drawbacks to having to remember every online service logon that you subscribe to. It's pitty this couldn't have been implimented better and or be more successful. It would be interesting to see if yahoo or aol takes a stab at this as everyone I know has a yahoo login. It would be nice to use it for everything none critical.

    • "I have to admit it was convenient as there are drawbacks to having to remember every online service logon that you subscribe to."

      Every service I use "remembers" my account when I visit the site (except for my bank, which I would NEVER want to have auto-login).

      So why not just use the same login/password for every non-critical service you use? Pick a unique name that's unlikely to be in use by others, and if you ever need to wipe you drive for a reinstall, you don't have to sift through a ton of login

  • I can, of course, only speak for myself but I am fairly web-savvy and I was initially confused about the Passport system. It appeared to me that I needed an MSN account or Hotmail account to make it work, though I don't think that was/is the case. I always use my Hotmail account for junk; I'd never use it for e-commerce transactions. Perhaps that is the issue with a company with soooo many services.
  • Hotmail was such a pain in the butt when i used it. It was nice before Microsoft bought it, but then it turned downhill. Everything was tied directly into the MSN homepage. Worst was passport system, which magically never worked.

    I was pretty happy about that, I didn't feel comfortable with their implementation. I think a common login would be useful, but maybe if it was done by RSA, not by Microsoft.

  • Failure. (Score:2, Insightful)

    by rhpenguin (655576)
    An interesting concept coupled with all the bad parts that were exposed and its a wonder why no one wanted to use it. I use it myself with messenger service, but thats about it. I would not trust the security of my website/webapp to Microsoft.
  • Just PDF files? (Score:5, Informative)

    by finkployd (12902) on Tuesday March 23, 2004 @04:46PM (#8648778) Homepage
    Liberty Alliance project, which so far has produced just large amount of PDF files

    Which is all they intended to produce. Technically Liberty Alliance is a spec, not an implementation.

    Now if you are asserting that there are no implementations, the SourceID [sourceid.org] people would probably disagree with that.

    Finkployd

    • by El (94934)
      You were expecting maybe .DOC files instead?
    • Well that's just lame. If they want it adopted they should produce high quality, free implementations that are easy for anyone who can make an html file to slap onto any site. I'd think the companies that are behind this would have the wherewithal (and the incentive) to make it happen.
  • 2 Things (Score:5, Funny)

    by panthro (552708) <mavrinac AT gmail DOT com> on Tuesday March 23, 2004 @04:47PM (#8648787) Homepage

    1. I have yet to meet someone who actually has (let alone uses) a .NET Passport.

    2. If you are thinking about replying to this message with "I Do!", then I probably won't meet you, so see 1.

    • Re:2 Things (Score:3, Funny)

      by lpangelrob2 (721920)
      1.) If you're saying that you've never met anyone that's used/uses a Hotmail account, I would find that hard to believe.

      2.) If you really haven't... hi, I'm Rob! Nice to meet you. :-)

    • Re:2 Things (Score:4, Insightful)

      by El (94934) on Tuesday March 23, 2004 @05:09PM (#8649028)
      Every one of the tens of millions of hotmail customers have and use a .NET passport. That includes many slashdotters (like me). Granted, most of these are throw-away email accounts, but still, they are used.
      • I know I didn't say it, but I don't really count Hotmail, MSN or any other Microsoft-run services in the context of this article, because they aren't really customers licensing the Passport system. It didn't even occur to me while I was posting because I am one of those very few people that has never had a Hotmail account (well, I had a throwaway account once long before MS bought HoTMaiL, and thus even longer before Passport).

  • by jolyonr (560227) on Tuesday March 23, 2004 @04:47PM (#8648788) Homepage
    At first, the concept of a global authentication system seems great. We all have too many passwords to remember, the idea behind Passport seems great.

    But in reality, there isn't anyone who is secure enough, trustworthy enough, powerful enough and smart enough to pull off a system that would work and would be trusted.

    You need to have the strength and power to be able to build such a system, and with those, trust invariably goes out of the window.

    So for now I'll keep all my passwords in my brain, and pay the price of my mistrust.

    Jolyon
    • This is exactly why a service like this will never work. Much better for everyone to adopt digital certificates. They could be stored in smart cards (seems to be the defacto standard) or iButtons or whatever, you can copy them to multiple devices, and you will have to enter an optional key to access them in the first place, then the key to use them. Certs can be issued by whoever, the issuer maintains the signature and public key.

      With smart card readers being installed anywhere and everywhere (Lots of PC

  • by Anonymous Coward on Tuesday March 23, 2004 @04:48PM (#8648801)
    ...isn't such a chore that we would need a freakishly-complex infrastructure to save us a couple of keystrokes.
  • Was this .NET My Services?

    I know there was a .NET The Platform, C# -- .NET's Revenge, and VB.NET -- a new SOAP. A while ago, the company put forth this .NET strategy and then backed away as people started going "eh?" as to what it all meant.

    From general consensus, the .NET platform seems to be doing ok into adoption (if those "Senior .NET Programmer" ads are an indication) while the whole "My Services" single sign-on deathtrap was greeted with uberskepticism. If I remember correctly, this was one of the
    • At the risk of Karma or Attention Whoring, I'm going to point to my own article [schnapple.com] again.

      The answer to your question in a nutshell though is that the ".NET Platform" is still alive and well (I know, I work with it every day for a living), but .NET as a blanket, obscure marketing term attached to everything is pretty much dead in the water. The things you describe (C#, VB.NET, SOAP based web services) are all part of the original platform and unimportant to anyone who's not a programmer.

      The Passport idea an

    • by Gr8Apes (679165) on Tuesday March 23, 2004 @05:14PM (#8649082)

      .NET was originally a set of web services, then a service platform, then a server OS, then a set of services on a server OS, then a development platform, and, now, the most known .NET (because I think there's more than one, MS couldn't tell me for sure though) is the multiple language to bytecode platform/compiler.

      Is it any surprise that .NET appears to be fading away? Anything that mucked up by schizophrenic marketing would have to be simply the best thing since the goose that laid gold eggs to survive. And MS's products are definitely not that. (that's not an opinion, see the recent virus outbreak reports for why - just about every major MS product's been hit in the last 6 months)

  • Liberty does not compete with Passport, it competes with WS-Federation. Liberty scores points on an open developement process (as opposed to MS and IBM doing ws-fed in a darkend backroom somewhere) and also on having actual software implementations of their specs available. However WS-fed scores big because managers these days see Web Services is the silver bullet, holy grail for everything. Time will tell.

    Personally I like SAML (the technology Liberty is built off of), but supposedly WS-Fed is going to in
  • "Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."

    It's strange that this didn't appeal to most users who already use Windows. I would think people would tend to use things they are already familiar with.
  • by Anonymous Coward
    I have yet to ever see a Liberty Federated login screen so I'm not sure that it is even implemented. The Microsoft acceptance outside their own network is shifting, but I think this is an inevitable result of companies not wanting to rely on SLAs for business critical components of their solutions. This really is the single biggest problem of any web service in that you lose control and true accountability. Smart businesses will continue to internalize business critical components.
  • can be found in your nearest pr0n site.

    i remember loggin on i a porn site back in 1999 from where i could jump to several others without loggin on again.

    maybe sir bill could buy a pr0n site or two to learn how it's done.

    can u imagine MSN with an adults only warning ???
  • by AnotherBlackHat (265897) on Tuesday March 23, 2004 @04:54PM (#8648872) Homepage
    From the article

    "I can't imagine a Web site today being willing to pay $10,000 a year and go through the whole process necessary to implement Passport."


    Hello? It's not very easy to imagine a site that's willing let a third party handle customer information for free.

    Most companies aren't even willing to tell you how many customers they have, much less let you collect personal information about them.

    -- this is not a .sig
    • Hello? It's not very easy to imagine a site that's willing let a third party handle customer information for free.

      Depends on the definition of the customer. For example, if I am running a site with a bunch of forums and discussion boards, I implement registration, so that no user can steal other's identity and misrepresent him.

      Registration on all small sites and various PHP boards is a pain, I don't want to leave a whole bunch of info at hundreds of different sites. If I see a button that allows me to us
  • Passport is probably more secure that ssl. Its an excellent technology for Microsoft to use for all of its various services.

    hotmail
    MSDN
    MSGaming Zone
    etc.

    For an intra-corporate login system its excellent. But to be used across multiple websites, it just puts all your proverbial security eggs in one basket.

    I think the best solution is simply the browsers remembering passwords on websites. If they were to make that pwd list exportable, that would really be great!

    p.s. ebay uses it along side standard logi
    • "I think the best solution is simply the browsers remembering passwords on websites."

      This would work if, and only if, there was some strong encryption on the password list. In otherwords, you would need to be prompted for a single strong password whenever a password is pulled from the list. This strong password would be the key for the encrypted password file.

      • Passwords must be of minimum length 6
      • Passwords can be of maximum length 30
      • Passwords must contain at least one (1) numeric character
      • Password
  • by GillBates0 (664202) on Tuesday March 23, 2004 @04:57PM (#8648903) Homepage Journal
    From the .NET Passport page linked to in the blurb, people are supposed to look out for the "button" and when they see it on their site, they can login with their .NET account.

    What's to prevent me from copying their pretty gif and collecting people's logins/passwords?

    • by mdfst13 (664665) on Tuesday March 23, 2004 @07:16PM (#8650449)
      I'm not sure how the Microsoft version works, but if I were implementing something like this, I would never allow logins to come from the site. Instead, I would require the site and user to log in to my system separately. Then I would give them a unique identifier or something to check if the user is logged on to the central system.

      For example, I might create two unique encryption/decryption key pairs and give one decrypt to the site and the corresponding encrypt to the user and give the other decrypt to the user and the corresponding encrypt to the site. Now they can communicate safely with private key encryption.

      Note that neither the site nor the user ever has login info for the other. Remember to discard the keys when done.

      A side effect of this is that instead of getting a login page when you try to connect to a site using the system when you are not logged in, you would get an error page (you are not logged in; please go to the appropriate place and log in). This would be mildly inconvenient but much more secure.
  • My $0.02 (Score:2, Insightful)

    by pragma_x (644215)
    The original concept behind the design of the internet (DARPAnet) was to spread out the whole mess as to make it impervious (or at least resilient) to a tactical nuclear strike.

    Fast forward almost three decades and now we should keep desigining it to avoid tactical commercial strikes.

    If everything, like commercial web security, was placed in the hands on one trusted authority, some problems would be solved. (I for one welcome single sign-on to all my messageboards and other non-sensitive websites regardl
  • .NET Passports like .NET in general are not merely about today. Many of these sorts of projects are part of a larger scheme of Microsoft, so today's 'failure' is also an investment for the future of their corporation.

    Microsoft is one of many companies that would like to one day see us subscribing for software monthly rather than merely suffering through outlandish licenses, having little knowledge of what is actually going on inside of our infrastructure and ultimately making them into another 'ma Bell'.

    T
  • .MAC accounts! And what was the name of that propritary Mac dial-in service that Apple had going for a while?
    • Re:It 's a lot like (Score:3, Interesting)

      by krray (605395) *
      .Mac I use though. The absolutely wonderful video chat with your auto-AIM account helps (though you can get a free AIM account and go to town too).

      Moving from the Mac @ home to the laptop to the Mac at the office ... there's nothing like having all your mail on IMAP servers, identical bookmarks in the browser, identical address book entries, identical calendars (of course this all also goes on the iPod for easy use on the road :).

      Heck, once in a while I'll find I'd like to quickly move a few dozen work .D
  • by brucmack (572780) on Tuesday March 23, 2004 @05:05PM (#8648991)
    I attended an MS tech talk a couple of months ago about the identity system coming in Longhorn. It seems like they are really targetting mass acceptance with that one too.

    While I can't remember exactly how everything worked (hey, I was there for the food), it was basically an RSA key system, with the private key stored on ones own computer. The main MS involvement was to have some servers set up to allow one to back up their private key so they aren't screwed over if their computer crashes without a backup... and the presenter seemed confident that there would be non-MS providers of the service as well.

    It seemed like a pretty neat idea anyway... There were also systems in place to allow one to deactivate their key if it was compromised. Basically one's computer could notify all of the places it had exchanged its public key with to tell them that it is no longer valid anymore. It seemed like an interesting system that took a lot of the control away from MS, as long as one trusts the OS not to beam the keys back to them :)

    The only real downside was that it seemed like they weren't too keen on getting the server-side software operating on non-MS platforms. But who knows... It certainly seems to be a better solution than Passport, since there would be no fees beyond having a supported OS.
  • I think the main problem with Passport is not the idea itself, but who's behind it. I personally don't trust any infrastructre backed by MS. It's not just that I don't trust them to misuse their status as gatekeeper. (This is a problem you have to face no matter who the gatekeeper is.) I don't trust them to make an infrastructure that works. Not when they've shown that they can't build public databases that scale. (Their anti-piracy measures that are such a pain to deal with would work a lot better if they
  • Too expensive (Score:5, Interesting)

    by truelight (173440) on Tuesday March 23, 2004 @05:05PM (#8648998) Homepage
    Passport has extremely high potential. I tried it out a while back... I went to Slate.com after signing up for a passport, and clicked the "Sign In" button. Now, I had never visited Slate, nor did they have any data on me prior to this. When I clicked "Sign In", that was it. I was registered. No filling out forms. No nothing. From a usability standpoint, Passport has tremendous potential.

    With that said, the fees are absolutely horrendous. I checked it out - $1000/year for "small implementations", and $10000 for other. While I'm all for paying for a good solution, I can't see how having a single-sign-in solution on any website would generate $10000/year in profits.

    I'm sure it would catch on like wildfire if they just lowered the fees to more manageble levels.

    Oh, and buy paypal.
  • I mean. WTF do we need an extra service for if the security manager can do it, also kwallet can remember them all and interact with konqueror....

    Even IE can do it i think..... so, i think the single sign on in passport is really a fucking hoax designed to lock linux and OSS out of large datacenters.
  • Maybe (Score:3, Funny)

    by bryan1945 (301828) on Tuesday March 23, 2004 @05:13PM (#8649066) Journal
    Haven't read the replies (or the FA), but wasn't a big concern about Passport that you would need to sign over your first 3 children just to get authenticated?
  • by cyberlotnet (182742) on Tuesday March 23, 2004 @05:19PM (#8649117) Homepage Journal
    The problem with the whole concept in general to me is security.

    Company A holds your credit card information and controls the sign up system.

    Company B You make purchases through there system, credit card details are pulled from company A, your happy

    Slap on 100 Company B's each with the ability to pull your credit card data so you can make purchases.

    You now have 100 new possible locations for a hacker to crack, giving them access to a massive database of credit card data.

    A chain is only as strong as its weakest link. The more merchants you add to this style system, the better change your chain will break one day.
  • by LostCluster (625375) * on Tuesday March 23, 2004 @05:21PM (#8649134)
    Passport has gotten a lot of bad press, but there's three other major single signon systems in circulation that nobody talks about...

    AOL's ScreenName Service is used on all Time Warner web properties and partners, including AIM, the Netscape sites, all of the magazines they own and EA's Pogo games site.

    Disney's Go Network may have failed as a portal, but every web domain Disney owns still redirects to a subdomain of go.com such as ABC.go.com and ESPN.go.com. Therefore, there's a full network of news content, e-mail, and a few shopping sites contained there, all of which are Disney-owned properties.

    Yahoo also has a full "network" of sites within the Yahoo.com domain... e-mail, an IM client, games, shopping, and let's not forget there's a serach engine there too. Yahoo lets several partners have your entire account infomation simply by offering a one-click registration into a site such as WorldWinner.com from their games section.

    So, while all the bad press is being aimed at MS... several just as invasive services have quietly gained power.
  • by LostCluster (625375) * on Tuesday March 23, 2004 @05:25PM (#8649167)
    Every registration-requiring service of Google nicely collects no more infomation than it needs to, but there also seems to be very little support for cross-linking registrations from one service to another. As a result, they have distinct logon screens for...

    - AdWords
    - AdSense
    - Google API
    - SiteSearch / Websearch
    - Blogger

    They just keep adding new services, but there's no sign of any unity coming...
  • Wrong way around (Score:4, Interesting)

    by realnowhereman (263389) <andyparkinsNO@SPAMgmail.com> on Tuesday March 23, 2004 @05:29PM (#8649224)
    I think the idea of single sign on is a good one. The problem is, it shouldn't be implemented on the server side. KDE's new KWallet system is a very good example of how this should work - I keep all my logons locally, encrypted, and in a trusted place - my privacy is not at any more risk than it ever was. Now, I single sign on to the KWallet system which is then used by konqueror/kopete/kmail/whatever to auto-logon whereever i go.

    With a little bit of support server side (perhaps a standard way of passing logon information to HTTP servers - if the existing method is not deemed good enough) this could easily fake the entire passport system with no need for any centralised server.
  • by oldmildog (533046) on Tuesday March 23, 2004 @05:35PM (#8649303) Homepage Journal
    For each web site I visit, I have a user ID and then make up a 10 character random password. That's stored in a text file on my laptop which is then encrypted with PGP. When I need to log in to a site, I unencrypt the file, copy/paste the password into the browser, and wipe the file. This is a few more steps than what MS Passport does but is infinitely more valuable to me in making me feel my passwords are relatively secure. BOTH solutions rely on one password to protect all my accounts, but at least in my solution it's a 20-character phrase stored my head instead of one stored in Redmond.
  • by DrSkwid (118965) on Tuesday March 23, 2004 @05:42PM (#8649387) Homepage Journal
    here's Glenda's [bell-labs.com]

    In plan9's the single sign on is a bit different as it can save credentials for your regular internet services such as ftp, ssh, vnc, pop3, imap

    secstore is an encrypted file store, one of which is your factotum keys

    here's some example keys (SECRET is where my password would be):

    key proto=pass server=www service=ftp user=matt !password=SECRET
    key proto=p9sk1 dom=outside.plan9.bell-labs.com user=mattp9 !password=SECRET
    key proto=pass server=colo service=ssh user=matt !password=SECRET
    key proto=vnc server=kit user=matt !password=SECRET

    one can load one's passwords into a text editor and add/remove them in secstore

    or do echo 'key proto=vnc server=kit user=matt !password=SECRET2' > /mnt/factotum/ctl

    if they key is not present, factotum prompts you for it and remembers it while you are logged into the terminal

    When you log out factotum forgets all the entries not in secstore

    It's a great system, I just enter my secstore password at boot and I have passwordless access to the services I have stored.

    though one tends to just hit power when you go to lunch you can just do 'kill factotum | rc' to unload all the keys and then 'ipso factoum' to load them from secstore again (i think thats how you unload them, i've never done it)

    servers need not know anything about it, no .NET libs to compile against or licensing fees to pay

  • by falsification (644190) on Tuesday March 23, 2004 @05:45PM (#8649429) Journal
    It's a shame too, because a big market exists right now for a good, cheap, privacy-protecting, easy-to-implement directory service: blogs.

    Connecting your blog to a big directory service would mean getting rid of comment spam forever. Blocking comment abusers would become much easier, too.

    In fact, if I were running one of these directory services, I would offer the service free of charge to blogs (for a limited time) in the interest of getting customers signed up and used to the service.

    Then, once it's established, the commercial potential will become ever more lucrative.

  • Apple's Keychain (Score:5, Informative)

    by diamondsw (685967) on Tuesday March 23, 2004 @06:09PM (#8649689)
    What works well is Apple's Keychain idea.

    If you want, all of your passwords (web sites, iDisk, e-mail, etc) are all stored in your encrypted keychain on your computer. When you login and authenticate your primary keychain is unlocked, allowing programs that stored passwords to access them. Programs cannot access others' passwords without your consent (in the form of "The application blah wants to access your keychain. Do you want to allow this?"). As would be expected, the whole shebang is encrypted on disk, I believe with AES. Finally, if you don't want all of your passwords in one spot, you can create multiple keychains (e-mail accounts, financial sites, other web sites) and unlock them only as needed.

    It's all local, all secure, very flexible, and by default so easy it's completely transparent.
  • back door (Score:3, Funny)

    by mabu (178417) on Tuesday March 23, 2004 @07:42PM (#8650661)
    Who needs a back door when Microsoft is guarding your front door?
  • by Zathras26 (763537) <pianodwarf@NosPam.gmail.com> on Tuesday March 23, 2004 @08:49PM (#8651242)

    First of all, as others in this thread are already pointing out, the security issues are problematic, to say the least... you want to store all that financial information in a Microsoft server, with Microsoft's terrible security record? No, thanks.

    Second, Microsoft already has a ridiculous amount of power over the lives of the ordinary consumer, and the ordinary consumer knows it and deeply resents it. Even if they're not technically literate enough to be able to use non-MS products regularly, they still don't want to give Billgatus of Borg any more power over them than they absolutely have to.

    Related to that, Passport is designed to force people to use MS products. I have a Passport ID (which I created only because I have friends on MS Messenger, not because I wanted to), and it's nothing but one solid headache. Just as an experiment, I've tried to log in to a number of sites with Passport using my regular browser, Safari, and it never works. It works fine in Internet Explorer, though -- gee, you don't suppose MS purposely designed it not to function with any browser other than its own, do you? Nah... I mean, they've never done anything like that before...

  • by zeno_2 (518291) on Tuesday March 23, 2004 @09:02PM (#8651366)
    I used to work helpdesk for Microsoft. Well it was another company that they contracted, but anyway. After doing Win98 support I got moved to multimedia and games. Part of that support was for Asherons Call.

    Asherons Call (when it originally came out) used the MSN Zone login system to keep track of whos in the game, who has accounts, etc. Probably a year or so later, they (being Microsoft) decided that it would be better of all of the MSN Gaming Zone went to passport instead of using their own login system. When this first went thru, the passport servers got hammered, and people were unable to make passport accounts. Most of these people that were making new accounts were because of Asherons Call. Then the real troubles began.

    First, they had it setup so only one active Asherons Call account could be tied to a passport. Sure, you could have multiple accounts under one passport, but you would have to go to the Asherons Call website each time you wanted to use a different account, and change that info on the webpage. (What pretty much happens is you login to passport when you go to the AC page, and then you go into the game, you dont put another password or anything in the actual game interface). So, when you logged in, it just used the "active" AC account tied to the passport you used. This really isn't a big deal for those who have just one account, but there was a lady who called in with 22 AC accounts. Don't ask me why she had so many, people get a little crazy with these games I guess. So, for her to be able to easily login to each one of those accounts, she would have to create 22 seperate passport accounts. So much for the "single sign in system" that they like to tout so much.

    Second, the MSN Gaming Zone, and Microsoft are pretty much 2 seperate companies. They don't really share much info behind the scenes (im talking support wise). So, when someone called me up, they would say they couldn't login to Asheron's Call. I would have them go thru the process of making a passport account. At times, the passport account creation wouldn't go well, and Microsoft (at least at that time) had not a single person who could really help me with the passport system at all. There really isn't a phone extension I could have called to get more info, i just had to like figure it out on my own. Not something I dont think really should be done in a big support deal. Anyway, walk the person thru creating the passport account, and then going in and linking the AC account with the newely created passport account. For the few weeks after they decided to do this, it was the worst that you could think of, having to fix that 20 times in a day. It wasn't really our problem (games and multimedia) but they didn't have anywhere else for them to go.

    Ok, so that said, I couldn't imagine what a seperate company would get in terms of support when trying to, lets say, integrate passport into thier website. I was representing myself as a Microsoft employee and I couldn't really find anyone to help fix problems with passport, and I was access to the full MSKB (one of the cool things they have, even if it is all just text)Eventually we got some tools towards the end of my days that we could look up what account was tied to what passport, but it really didn't matter much because all the problems we had with it were pretty much taken care of. As a side note, if you were to call them up today, you would be talking to someone in India.
  • by quoll (3717) on Tuesday March 23, 2004 @11:53PM (#8652685)

    Last year we took on a Windows programming contract, so I went ahead and bought an MSDN subscription. In order to log into the online stuff I needed a .Net passport, and this required an email address.

    The address I gave had been around for 3 years and had never received more than a couple of spam messages a week. Within 24 hours of getting the .Net passport that email address was getting over 20 spams a day, and it has grown significantly since then. (Thank goodness it wasn't my primary email account!)

    Conclusion: either the passport user list is being sold, or security is nonexistent. Either way this is not a system anyone sane person would subscribe to!

  • by MikeFM (12491) on Wednesday March 24, 2004 @12:51AM (#8653039) Homepage Journal
    Why do we need something like passport? Shouldn't browsers provide this functionality. Or instead of username password combos why can't we authenticate using a single secret key that the user need only remember? Hash the secret key and a seed from the website. Send the hash to the sites to authenticate the user.

    Example:
    User's Passphrase: My dog is brown.
    User's hash: 87c5630aaae21c773ea493aab54022b2
    Site's domain: kavlon.org
    Site's Passphase: Red Rover, Red Rover.
    Site's hash: b4d1fe9cf7b3860a50ec7f21a2c09bb3
    Combined hash: kavlon.org87c5630aaae21c773ea493aab54022b2b4d1fe9c f7b3860a50ec7f21a2c09bb3
    Unique hash: e833a1237ac1afcaeed8f91139dc8e53

    So neither the user nor the site admin need know their hash.. just their passphrase. The site never needs to know the user's private passphrase or hash. The only code the site needs to know is the unique hash which is specific to just that site. Using a one way hash (this used md5's) it's impossible to brute force calculate the value of either passphrase or hash (although obviously the site's hash is public). Because the combined hash uses the site's domain and the browser verifies that domain there is no way for another site to trick the browser into giving it the unique hash for another site.

    With something like this the user only need to remember a single pass phrase and they could type it just once per session on any browser with any website. No doubt there are problems with it but it could be improved and then I think it'd be easier than something like Passport.
  • Sibboleth (Score:3, Informative)

    by KjetilK (186133) <kjetil@@@kjernsmo...net> on Wednesday March 24, 2004 @05:48AM (#8654183) Homepage Journal
    Do people here know about Shibboleth [internet2.edu]?

    I think it looks very interesting, and it is much better than both Passport and Liberty Alliance in that you control your own data and decide yourself what you want to share (if I have understood it correctly).

    I haven't seen it been discussed a lot on /., and:
    2004-02-22 20:10:08 Shibboleth For User Info Exchange (developers,privacy) (rejected)

  • by g_lightyear (695241) on Wednesday March 24, 2004 @05:52AM (#8654200) Homepage
    Time to clear this up.

    1) Liberty Alliance protocols aren't about setting up a single auth provider that the world uses to authenticate you: It's a way of businesses and sites to create an agreement to allow each other to cross-login, or to support logins from foreign systems. Any site wishing to turn its login system into an Identity Provider is free to do so - other sites can then use that federated identity.

    2) Liberty Alliance protocols don't require that one central identity hold all information. Each service provider has a local account which can hold information specific to that service without requiring your private information to be shared indiscriminately.

    You can Liberty-enable a set of websites today. This can be done transparently to users, and is about businesses sharing sign-ons and authentication information without actually having to share your data. Site X doesn't need to have your account information, or your password; it can find out from the identity provider enough information to know whether you've been authenticated, or direct you over to them to authenticate safely.

    Read the docs, folks. It's not Passport. It's not even really *like* passport, in its intended use. It's real, it's implementable, it serves a real purpose, and it's going to be BIG.

Say "twenty-three-skiddoo" to logout.

Working...