Passport to Nowhere

prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."

Only used in hotmail

[sapped]

I actually created a passport login to see how many places they would use it and if it would be beneficial. Thus far I have only seen it used with Hotmail and on the MSN site. Have any others seen it used on other non-Microsoft sites?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Only used in hotmail

[tim_uk]

I've used Passport to sign into Ebay. It seems to work fine there.

Tim

Re:Only used in hotmail

[Anonymous Coward]

Match.com
Expedia.com (hasn't been a Microsoft product since 1999)
Ebay.com
Paypal.com

There are a few others, but those are the ones that immediately come to mind.

Vendors don't want it.

[AnotherBlackHat]

From the article

"I can't imagine a Web site today being willing to pay $10,000 a year and go through the whole process necessary to implement Passport."

Hello? It's not very easy to imagine a site that's willing let a third party handle customer information for free.

Most companies aren't even willing to tell you how many customers they have, much less let you collect personal information about them.

-- this is not a .sig

Re:Problem that doesn't exist big time...

[jfengel]

The problem isn't managing passwords for a web site. The problem is managing passwords for ALL web sites.

How many accounts do you have, between eBay and paypal and Amazon and slashdot and ...? Do you use a different password for each one? Aren't you the least bit worried that the Slashdot editors will use your Slashdot password against your Amazon account?

The idea of Single Sign-On is to put all of your eggs in one basket, then make sure it's a really good basket. Nobody trusts Microsoft to make that really good basket, but it doesn't mean that they're not trying to solve a real problem. It's a tricky one, because the trust factor is scary, and the stakes are very high.

Re:eBay

[ptr2void]

They do. One more reason to avoid eBay.

Re:Problem that doesn't exist big time...

[ohsoot]

I use Password Safe [schneier.com] to store my passwords. The program can fit on a floppy disk, and doesn't modify the registry. It is a free, open source program, and the database file is in your control. (I keep a copy on yahoo briefcase, so I can access it anywhere)

It does have the single point of failure issue, but I consider this an acceptable trade off considering I now use very long, complex and different passwords for everything.

I had no idea how many UID's/Passwords I had until I started using this program.

Re:Favorite quote from TFA

[Anonymous Coward]

It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.

Welcome to George Bush's America: it's not your choice anymore. [infoworld.com]

Re:Favorite quote from TFA

[Otter]

Both of you guys miss my point -- yeah, Mozilla and Konqueror remember my logins, on a single computer! They don't transfer between work and home and they certainly don't help me at a public terminal! Thus, Passport.

Re:Only used in hotmail

[Deimios]

I work for an ISP that provides MSN wholesale to customers and we have to use a .net passport to sign into the customer information tool, its a pain in the ass.

Re:Only used in hotmail

[lrucker]

there are LOTS of sites that use it. Starbucks, eBay, Citicards.com....

When Passport was new, that was the only way you could buy stuff at Starbucks website, but they've made it optional since then.

Re:Favorite quote from TFA

[MagicBox]

Well the IDEA was brilliant. However, there's a huge difference between thinking the idea and implementing it the was it's supposed to to be. I also think MS had the logic of implementation correctly, and a partially working .NET passport system (which personally I have never used beyond signing in to hotmail). There is a few reasons that Passport was *doomed* from the very beginning, and two come to mind right away:

1) The venerable WEB is just not able to handle such complex task. It'll fall prey to hackers and vandals. We do not understand Internet deep enough to be able to complete such tasks in total security and privacy. There's too many holes, that even those who look for them 24/7 haven't found yet. Internet has grown much faster than our ability to understand it and study it.

2) one word: Microsoft. Yes they probbably have all my info collected little by little over the years, but I'll give that the benefit of the doubt, what I don't want to do it trust something (someone) that cannot be trusted. I am not bashing MS, I know they are trying HARD....but it's gonna take time and some radical changes for that to happen.

the solution for logon-itis...

[-O.ster_66]

check out BUGMENOT [bugmenot.com]

Ebay uses passport.

[blanks]

http://cgi3.ebay.com.au/aw-cgi/eBayISAPI.dll?Passp ortSignInShow&pt=-1&finalURL=

Did some more searching, and yes ebay ueses passport.

Does this mean paypal uses passport? If not will it?

Apple's Keychain

[diamondsw]

What works well is Apple's Keychain idea.

If you want, all of your passwords (web sites, iDisk, e-mail, etc) are all stored in your encrypted keychain on your computer. When you login and authenticate your primary keychain is unlocked, allowing programs that stored passwords to access them. Programs cannot access others' passwords without your consent (in the form of "The application blah wants to access your keychain. Do you want to allow this?"). As would be expected, the whole shebang is encrypted on disk, I believe with AES. Finally, if you don't want all of your passwords in one spot, you can create multiple keychains (e-mail accounts, financial sites, other web sites) and unlock them only as needed.

It's all local, all secure, very flexible, and by default so easy it's completely transparent.

LDAP?

[Anonymous Coward]

Not that anyone will ever see this, but it seems that a distributed LDAP database answers most of the problems raised in these various articles. You get decentralized security/management with referral chasing while at the same time having a global tree-like infrastructure like DNS, so a single originating query retrieves the requested information.

Adopting a common lookup structure to filter on (and this can be accomplished via referral chasing as well so that existing structures can be acommodated) would mean that your email address would identify you and your password would authenticate you to web services anywhere, with permissions based on the DN of the bind - if I supply me@domain.com, I authenticate via uid=me,cn=users,dc=domain,dc=com and the password I supply, and permissions are granted/withheld based on components of the DN.

With referrals security and authentication is left up to individual LDAP directory administrators.

Re:Only used in hotmail

[dasmegabyte]

I needed to open a Passport account to get content on my Verizon phone.

Once I did, it opened the doors to tons of content I didn't give a shit about. I just wanted to delete all the useless bookmarks they shove in there.

Re:My "Passport"

[Kor49]

I think I am slow today. Why was parent modded funny ? I do what's described already by using a neat program called Password Safe (on sf.net, by Schneier's company). It copies the password to the clipboard and after you paste it, close psafe, and clipboard is cleared.

Re:MS isn't giving up...

[mosschops]

The main MS involvement was to have some servers set up to allow one to back up their private key so they aren't screwed over if their computer crashes without a backup...

Isn't the whole point of private keys so only you have them? People need to take some responsibility in looking after their private data. I think I'll pass on their oh so kind offer...

I'll stick with private local backups, especially considering Microsoft's far-from-perfect security record.

Of course Passport is flopping.

[Zathras26]

First of all, as others in this thread are already pointing out, the security issues are problematic, to say the least... you want to store all that financial information in a Microsoft server, with Microsoft's terrible security record? No, thanks.

Second, Microsoft already has a ridiculous amount of power over the lives of the ordinary consumer, and the ordinary consumer knows it and deeply resents it. Even if they're not technically literate enough to be able to use non-MS products regularly, they still don't want to give Billgatus of Borg any more power over them than they absolutely have to.

Related to that, Passport is designed to force people to use MS products. I have a Passport ID (which I created only because I have friends on MS Messenger, not because I wanted to), and it's nothing but one solid headache. Just as an experiment, I've tried to log in to a number of sites with Passport using my regular browser, Safari, and it never works. It works fine in Internet Explorer, though -- gee, you don't suppose MS purposely designed it not to function with any browser other than its own, do you? Nah... I mean, they've never done anything like that before...

My background on this..

[zeno_2]

I used to work helpdesk for Microsoft. Well it was another company that they contracted, but anyway. After doing Win98 support I got moved to multimedia and games. Part of that support was for Asherons Call.

Asherons Call (when it originally came out) used the MSN Zone login system to keep track of whos in the game, who has accounts, etc. Probably a year or so later, they (being Microsoft) decided that it would be better of all of the MSN Gaming Zone went to passport instead of using their own login system. When this first went thru, the passport servers got hammered, and people were unable to make passport accounts. Most of these people that were making new accounts were because of Asherons Call. Then the real troubles began.

First, they had it setup so only one active Asherons Call account could be tied to a passport. Sure, you could have multiple accounts under one passport, but you would have to go to the Asherons Call website each time you wanted to use a different account, and change that info on the webpage. (What pretty much happens is you login to passport when you go to the AC page, and then you go into the game, you dont put another password or anything in the actual game interface). So, when you logged in, it just used the "active" AC account tied to the passport you used. This really isn't a big deal for those who have just one account, but there was a lady who called in with 22 AC accounts. Don't ask me why she had so many, people get a little crazy with these games I guess. So, for her to be able to easily login to each one of those accounts, she would have to create 22 seperate passport accounts. So much for the "single sign in system" that they like to tout so much.

Second, the MSN Gaming Zone, and Microsoft are pretty much 2 seperate companies. They don't really share much info behind the scenes (im talking support wise). So, when someone called me up, they would say they couldn't login to Asheron's Call. I would have them go thru the process of making a passport account. At times, the passport account creation wouldn't go well, and Microsoft (at least at that time) had not a single person who could really help me with the passport system at all. There really isn't a phone extension I could have called to get more info, i just had to like figure it out on my own. Not something I dont think really should be done in a big support deal. Anyway, walk the person thru creating the passport account, and then going in and linking the AC account with the newely created passport account. For the few weeks after they decided to do this, it was the worst that you could think of, having to fix that 20 times in a day. It wasn't really our problem (games and multimedia) but they didn't have anywhere else for them to go.

Ok, so that said, I couldn't imagine what a seperate company would get in terms of support when trying to, lets say, integrate passport into thier website. I was representing myself as a Microsoft employee and I couldn't really find anyone to help fix problems with passport, and I was access to the full MSKB (one of the cool things they have, even if it is all just text)Eventually we got some tools towards the end of my days that we could look up what account was tied to what passport, but it really didn't matter much because all the problems we had with it were pretty much taken care of. As a side note, if you were to call them up today, you would be talking to someone in India.

Vapor? Definitely not.

[g_lightyear]

It's not vapor folks. The fact that you may not *see* the fact that your name is getting federated across a set of services as a federated namespace in Liberty has nothing to do with whether or not federated names are in use.

We're just about to ship, transparently, a Liberty architecture here - and we're doing so internally amongst ourselves and our assembled services. There's nothing vapor about the technology.

The fact that there's no pretty website offering a "Passport" to be used anywhere on the internet for Liberty is missing the point: that isn't what Liberty is all about. The fact that you could has nothing to do with whether or not you *would* do so.

Sibboleth

[KjetilK]

Do people here know about Shibboleth [internet2.edu]?

I think it looks very interesting, and it is much better than both Passport and Liberty Alliance in that you control your own data and decide yourself what you want to share (if I have understood it correctly).

I haven't seen it been discussed a lot on /., and:
2004-02-22 20:10:08 Shibboleth For User Info Exchange (developers,privacy) (rejected)

There's a lot of really random comments, here.

[g_lightyear]

Time to clear this up.

1) Liberty Alliance protocols aren't about setting up a single auth provider that the world uses to authenticate you: It's a way of businesses and sites to create an agreement to allow each other to cross-login, or to support logins from foreign systems. Any site wishing to turn its login system into an Identity Provider is free to do so - other sites can then use that federated identity.

2) Liberty Alliance protocols don't require that one central identity hold all information. Each service provider has a local account which can hold information specific to that service without requiring your private information to be shared indiscriminately.

You can Liberty-enable a set of websites today. This can be done transparently to users, and is about businesses sharing sign-ons and authentication information without actually having to share your data. Site X doesn't need to have your account information, or your password; it can find out from the identity provider enough information to know whether you've been authenticated, or direct you over to them to authenticate safely.

Read the docs, folks. It's not Passport. It's not even really *like* passport, in its intended use. It's real, it's implementable, it serves a real purpose, and it's going to be BIG.