Passport to Nowhere

prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."

Favorite quote from TFA

[Liselle]

"Microsoft was kind of pushing Passport for a problem that didn't exist..."

I think that more or less hits the nail on the head. This is aside from the downtime issue, which is embarassing, and privacy issues, which are disturbing. On the privacy/downtime note, the Liberty Alliance may be vapor currently, but the idea of a "federated" system sounds much better to me. It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.

No sir, that's bad sauce.

Personally..

[Caedar]

I never saw a need for .NET Passport in any way. Privacy issues aside, all Passport would achieve for the company using it is something they could already do with simpler, more secure, and less liable technologies already available to them.

"Competing Heavily"?

[American AC in Paris]

[.NET Passport is] competing heavily with open Liberty Alliance project, which so far has produced just large amount of PDF files

...by this logic, one could say that Halo is competing heavily with Duke Nukem Forever, or that Coca-Cola is competing heavily with Cola Turka [colaturka.com.tr]...

I mean, doesn't "competing heavily" imply that there's, well, an active competition in the first place?

Problem that doesn't exist big time...

[192939495969798999]

It is widely pulicized now how to manage passwords for a website -- it's as simple as using other Microsoft tools, and so in a way, passport puts itself out of business by competing poorly with other Microsoft products. Why would anyone not just use an NT auth login, ASP, or one of the myriad of other ways to do a sign-on. The only place I see passports now is places where Microsoft already had a majorly vested business interest. Passport should go right up there with Microsoft BOB , IMHO.

No thanks

[Orien]

I like the concept of passport, but I'm not going to get in bed with Microsoft to put it on my web servers. Besides, it has always seemed to me that doing a scheme like that would introduce so many more points of failure to your web system, that it wouldn't be worth the trouble. That's not to mention security. Somehow I just feel safer when I have to log in to each site separatly.

Failure.

[rhpenguin]

An interesting concept coupled with all the bad parts that were exposed and its a wonder why no one wanted to use it. I use it myself with messenger service, but thats about it. I would not trust the security of my website/webapp to Microsoft.

Re:"Competing Heavily"?

[Anonymous Coward]

Liberty Alliance did its intended job -- FUD Passport and put everyone in a Wait-n-See mode until they all forgot about the idea.

Concept Good, at first.

[jolyonr]

At first, the concept of a global authentication system seems great. We all have too many passwords to remember, the idea behind Passport seems great.

But in reality, there isn't anyone who is secure enough, trustworthy enough, powerful enough and smart enough to pull off a system that would work and would be trusted.

You need to have the strength and power to be able to build such a system, and with those, trust invariably goes out of the window.

So for now I'll keep all my passwords in my brain, and pay the price of my mistrust.

Jolyon

Perhaps entering passwords and form fields...

[Anonymous Coward]

...isn't such a chore that we would need a freakishly-complex infrastructure to save us a couple of keystrokes.

Re:Only used in hotmail

[Anml4ixoye]

Ebay has it where you can use it for sign-in (though I don't), and I have seen it on other sites for registration. I had to get a Passport for work, and I tried it at some of those places. One site I signed-in with Passport, and it still wanted me to fill out all of the registration information - not verify what was there, but actually fill it all in again.

I guess it made me feel good to know they didn't just pass over my information, but made me immediately wonder what it was useful for.

This is not just a passport issue

[Anonymous Coward]

I have yet to ever see a Liberty Federated login screen so I'm not sure that it is even implemented. The Microsoft acceptance outside their own network is shifting, but I think this is an inevitable result of companies not wanting to rely on SLAs for business critical components of their solutions. This really is the single biggest problem of any web service in that you lose control and true accountability. Smart businesses will continue to internalize business critical components.

My $0.02

[pragma_x]

The original concept behind the design of the internet (DARPAnet) was to spread out the whole mess as to make it impervious (or at least resilient) to a tactical nuclear strike.

Fast forward almost three decades and now we should keep desigining it to avoid tactical commercial strikes.

If everything, like commercial web security, was placed in the hands on one trusted authority, some problems would be solved. (I for one welcome single sign-on to all my messageboards and other non-sensitive websites regardless of their affiliation) But build that authority on single corporate entity and the whole mess comes tumbling down once that solitary company folds, runs out of funds or cuts the project. Not to mention that they then have the power to determine limits of use to suit their own agenda.

MS Passport is one such technology that attempted to carve a market niche contrary to the spirit of the medium it was intended to support. The internet is not monolithic and it's use and enrichment should follow.

</soapbox>

Re:Favorite quote from TFA

[PacoTaco]

Microsoft wants to push the distributed web services model. Web services are much easier to manage with a centralized authentication system (rather than dealing with many separate passwords/certificates per application). Whether something like Passport is right for end users is another question.

It 's a lot like

[callipygian-showsyst]

.MAC accounts! And what was the name of that propritary Mac dial-in service that Apple had going for a while?

Re:Favorite quote from TFA

[js3]

That's debatable. I don't know anyone who fancies remembering a bunch of passwords for every site he signs up for. I even have a password manager on my usb flash drive because I can't keep up with password. I could use one password for everything but that's insecure too.

So far I've used the Passport on two sites, mcafees online antivirus subscription site and radioshack.ca whenever I order something

Re:No thanks

[AnotherBlackHat]

I like the concept of passport ...

The entire concept is flawed from the get-go.

If I wanted my passwords stored on a computer, then I might as well do away with them completely.

But assuming I did want to to store my passwords on a computer, I'd want them on my computer.

And if for some reason, I wanted to store them with a third party, I wouldn't want the storage to be a single sourced service.

And if was willing to accept a single sourced service, I still wouldn't want that source to be Microsoft.

And assuming you get past all of the above, you still need to convince the vendor that it's good for them too - and you'll need to convince a lot of them to make it worth while.

-- this is not a .sig

Anyone uses mozilla password thingie?

[alexborges]

I mean. WTF do we need an extra service for if the security manager can do it, also kwallet can remember them all and interact with konqueror....

Even IE can do it i think..... so, i think the single sign on in passport is really a fucking hoax designed to lock linux and OSS out of large datacenters.

Re:2 Things

[El]

Every one of the tens of millions of hotmail customers have and use a .NET passport. That includes many slashdotters (like me). Granted, most of these are throw-away email accounts, but still, they are used.

Re:Generic description

[ThogScully]

I personally think that it's becoming the groupthink/chic thing to do to point out that the Slashdot crowd doesn't like Microsoft.

Personally, I'd say the posting of that story should stand as proof that Slashdot isn't so biased as you seem to indicate. Moreover, whenever good news for Microsoft is posted here, it's generally studied with great detail and flaws are exposed in the methodology. For example, in the story you mention, they ignored worms, viruses, trojans, etc, because they didn't involve a person specifically targetting a specific windows machine for an intrusion. I remember thinking that the only valuable thing to come of that study was that Linux/Unix/whatever required actual human intervention to break into it, while Microsoft wasn't worth the bother when a thousand automated tools do it for you.
-N

Re:Problem that doesn't exist big time...

[Jerf]

The idea of Single Sign-On is to put all of your eggs in one basket, then make sure it's a really good basket. Nobody trusts Microsoft to make that really good basket, but it doesn't mean that they're not trying to solve a real problem. It's a tricky one, because the trust factor is scary, and the stakes are very high.

The most recent Cryptogram [schneier.com] has a highly relevant comment on this issue:

[Suppose t]here are 10 $100 piles, each secured by individual $200 security systems. They're all secure. There are another 10 $100 piles, each secured by individual $50 systems. They're all insecure.

Clearly something must be done.

One suggestion is to replace all the individual security systems by a single centralized system. The new system is much better than the ones being replaced; it's a $500 system.

Unfortunately, the new system won't provide more security. Under the old systems, 10 piles of money could be stolen at a cost of $50 per pile; an attacker would realize a total profit of $500. Under the new system, we have 20 $100 piles all secured by a single $500 system. An attacker now has an incentive to break that more-secure system, since he can steal $2000 by spending $500 -- a profit of $1500.

The problem is centralization. When individual security systems are combined in one centralized system, the incentive to break that new system is generally higher. Even though the centralized system may be harder to break than any of the individual systems, if it is easier to break than ALL of the individual systems, it may result in less security overall.

There is a security benefit to decentralized security.

Crap can flow uphill

[cyberlotnet]

The problem with the whole concept in general to me is security.

Company A holds your credit card information and controls the sign up system.

Company B You make purchases through there system, credit card details are pulled from company A, your happy

Slap on 100 Company B's each with the ability to pull your credit card data so you can make purchases.

You now have 100 new possible locations for a hacker to crack, giving them access to a massive database of credit card data.

A chain is only as strong as its weakest link. The more merchants you add to this style system, the better change your chain will break one day.

Re:Favorite quote from TFA

[prockcore]

I wouldn't say the problem doesn't exist -- every time a link takes me to an article at the LA Times, Chicago Sun, Telegraph or any other paper that requires me to remember some crazy new userid or to go through a lengthy registration process, there's a problem, usually solved by my deciding it's not worth it.

My browser, just like all the other browsers out there, has a nifty little feature which remembers my logins.

If mozilla ever gets that roaming profile idea, then passport is completely useless.

Just how many Google logons do I need?

[LostCluster]

Every registration-requiring service of Google nicely collects no more infomation than it needs to, but there also seems to be very little support for cross-linking registrations from one service to another. As a result, they have distinct logon screens for...

- AdWords
- AdSense
- Google API
- SiteSearch / Websearch
- Blogger

They just keep adding new services, but there's no sign of any unity coming...

Re:Generic description

[nother_nix_hacker]

instead of buying into groupthink, how about explaining and citing examples?

I use Windows, Linux and Solaris every working day. I can put up with Windows on the desktop but on the server it's a joke. Crappy error logs (IIS), amazingly bloated (Windows Server 2003), almost unscriptable (Windows Server 2003), un-modular (Windows Server 2003), Security issues advertised daily... the list just goes on.

I could easily come up with Linux examples supporting the same statement. In fact, Slashdot posted the study showing Linux was the most-breached OS on the net.

Was is sponsored by any chance?

Re:Favorite quote from TFA

[Sigma 7]

Whether something like Passport is right for end users is another question.

While I'm not speaking for everybody, I'm sure there's a large group of people that always hate having to register for every individual website for the sole purpose of posting a single comment. It's one of the many good reasons why Usenet is still around. It's also the same reason why Gamespy's Forumplanet is keeping so many users in spite of having a poor forum interface.

Multiple logins aren't better either. Given the sheer quantity of internet forums, a user will eventaully give up on creating new username/password combinations that they will simply recycle them (a big security risk right there.)

Re:Favorite quote from TFA

[Jim_Maryland]

"Microsoft was kind of pushing Passport for a problem that didn't exist..."

The problem of single sign on (SSO) does exist, particularly in the corporate world. Vendors implimenting Web Portals (MS SharePoint [microsoft.com], Sun Java System Portal Server [sun.com], BEA WebLogic Portal [bea.com], Vignette Portal [vignette.com], etc...) have a particular interest in SSO and identity management via Identity Services to present a single interface to various systems in an enterprise.

My main problem with MS Passport is that it's Microsoft's version of a standard rather than a community standard. Applications can connect via MS's SDK [microsoft.com] rather than publishing the standard. Using Open LDAP [openldap.org], Sun's Identity Server [sun.com], etc... will generally follow open standards and have better compatibiltiy to other open source/standard applications.

Re:Hmmm

[MrPoopyPants]

Who buys windows? People buy computers, it comes with windows. Most people don't know any better.

I know you were joking (at least that's what the moderation indicates) but I just don't see people flocking to the stores to get the latest copy of windows. Adoption of XP has been pretty slow (even though it's the best windows yet). People sit there with spyware, worms, memory leaks, and complete shit on their computers and don't even care. It's amazing what the average computer user will put up with.

Re:Only used in hotmail

[jlechem]

And all it manages to accomplish is people getting their accounts hacked. A hacker gets into a persons passport and voila they have access to eBay and start committing fraud in that persons name.

Re:Favorite quote from TFA

[Cecil]

I'd trust my personal information to Microsoft before I trusted it to Liberty Alliance. Founding member companies are:

American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines and Vodafone.

Perhaps it's just me, but it sure sounds like their marketers' wet dream.

Re:Look for the .NET Passport Sign In button

[RadioSilence]

That would be called SSL.

Re:Favorite quote from TFA

[1010011010]

PassPort? Jeesh - you /. dorks will replace a simple 2 second process with one incredibly difficult and annoying just to stay away from MS... You may think you're some sort of "Freedom Fighter", when really you're just a retard.

How's the weather in Redmond?

I'm sure PassPort will protect you from spyware, such as keystroke loggers, on those public terminals, right? And I'm sure that giving MSFT control over my personal authentication tokens is really in my best interest, never mind passport's publicised security problems. Yeah, I'm the retard for not trusting it.

Re:Favorite quote from TFA

[macmaniac]

"Microsoft was kind of pushing Passport for a problem that didn't exist..."

I think that more or less hits the nail on the head. This is aside from the downtime issue, which is embarassing, and privacy issues, which are disturbing. On the privacy/downtime note, the Liberty Alliance may be vapor currently, but the idea of a "federated" system sounds much better to me. It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.

That's one of the biggest problems that I've ever had with Microsoft's .NET passport system: the idea of putting all of that personal information into a central repository, especially a private central repository.

History has shown us time and time again that it is very possible for even the most secure systems to be compromised, over and over again. Microsoft does not necessarily in many views have a high security track record, and there then is no way that I personally am willing to allow my personal information (including some financial information, as eBay [ebay.com] (at least at one point) is one of the companies that signed on to the .NET passport system) to be put in the hands of a private enterprise's systems, making it among other things an appealing target, paired with the fact that it's Microsoft, doubling the appeal if not more so for some.

Re:Favorite quote from TFA

[YOU LIKEWISE FAIL IT]

a user will eventaully give up on creating new username/password combinations that they will simply recycle them (a big security risk right there.)

How is this any more or less of a security risk than having a single sign-on in the first place? ( Assuming equal security of the account storage, I guess. )

Recycling l/p pairs can lead to 1 -> Several account compromises - single signons can lead to 1 -> All.

YLFI

Old News

[ChicagoDave]

Jeez. The whole passport, name everything .NET, hailstorm junk is like three years old. MS uses passport for its own verification, but they haven't been pushing it for at least two years now. Find something else to gripe about.

MS-Passport is inherently insecure

[SgtChaireBourne]

MS Passport is inherently insecure [avirubin.com] and cannot be made secure, even in theory. To claim otherwise would be false advertising [ftc.gov]. Not to mention that in the terms of service you hand over any privacy you once had, see the FTC link above again for an example of abuse.

I'd be especially wary of sites locked into ASP or .NET, not just for the inherent security problems. PayPal, for example,. is at potential risk, as it is owned by eBay. But read the changes to HotMail or other similarly MS-Passport encumbered services.

There are ways to do secure, platform independent, centralized authentication for web and other services, but MS-Passport isn't one of them. See Kerberos + LDAP instead. If you don't wish to experiment on *BSD or something else, all the major Linux distros include both clients and servers. There are even ways of scaling enourmously [dlib.org]. Universities and libraries with electronic subscriptions should be able to get the most mileage out of Kerberos.

Re:Use PGP?

[Progman2000]

The problem is that anyone can create keys with duplicate names and addresses. What you need to do is associate your (legitimate) key pair with your Slashdot user (for instance). This might take the form of /. giving you a message like "I am [username]" for you to sign and return.

For regular authentication either your browser would need to repeat that process OR /. would send a message encrypted to your key, which you must decrypt and use. Either way, you'll be using your private key in a challenge/response system.

That said, I see no security problem with it unless you get so tired of typing your passphrase that you change it to "asdf". :) It wouldn't hurt to look this situation up in AC2 and see if I missed something.