Passport to Nowhere

prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."

Microsoft and the FBI

[Anonymous Coward]

Microsoft's Passport system was quietly co-designed with the FBI and NSA. In this system the cryptographic systems used to secure passwords were secure against almost any attack, save for brute force. However the NSA built in backdoors to this system.

The reason for this was to enable snooping of purchases and communications made over "secure" channels. Your neighbour couldn't tell what you were buying, but the government could watch. For example "Mr. Jones has been researching places to buy fertilizer with few credentials needed..."

This is a terrible system and I'm glad it's dying. It will mean I'm out of a job but it's for the good of the people.

sweets catalogue uses it.

[Brigadier]

I am an Architect and I was pretty happy to see Sweets (the product catalogue) uses msn passport as their logon service. I have to admit it was convenient as there are drawbacks to having to remember every online service logon that you subscribe to. It's pitty this couldn't have been implimented better and or be more successful. It would be interesting to see if yahoo or aol takes a stab at this as everyone I know has a yahoo login. It would be nice to use it for everything none critical.

Re:Favorite quote from TFA

[michael path]

I had that quote cited and ready to post as well.

It's still not an issue that exists today. However, I'm an avid user of Paypal because it's more convenient to pay with my username and password submitted only to Paypal's server, and let them return the "Success/Fail" of the payment to the vendor. It made eBay easier. It's easy to subscribe to Slashdot/OSDN using it. It's easier to subscribe to some porn sites using it.

Granted, that's just the payment piece, and not the cetnralized repository of all my useful details - but significant just the same.

Now, if Microsoft bought eBay (and thereby, Paypal), they'd have an existing solution they could extend to suit their needs.

That said, the moment Microsoft buys eBay is the moment I evaluate auction alternatives.

Re:Microsoft and the FBI

[ioErr]

Interesting claim. Care to, you know, back it up with something?

Re:Hmmm

[Anonymous Coward]

And Linux is free, and people still buy Windows. Hmmm...

Look for the .NET Passport Sign In button

[GillBates0]

From the .NET Passport page linked to in the blurb, people are supposed to look out for the "button" and when they see it on their site, they can login with their .NET account.

What's to prevent me from copying their pretty gif and collecting people's logins/passwords?

Lets hope today's failure doesn't pay off tomorrow

[Fluidic Binary]

.NET Passports like .NET in general are not merely about today. Many of these sorts of projects are part of a larger scheme of Microsoft, so today's 'failure' is also an investment for the future of their corporation.

Microsoft is one of many companies that would like to one day see us subscribing for software monthly rather than merely suffering through outlandish licenses, having little knowledge of what is actually going on inside of our infrastructure and ultimately making them into another 'ma Bell'.

Their goal is seamless computing, controlled entirely by monopolies. I think the advantages of this are clear: Configuration of software could be done automatically based on users preferences, licenses could be validated behind the scenes, displays of resources similar to what you have shown an interest in can be compiled by their networks.

This future will be dominated by web based resources and applications. Just as Windows allows them to dominate the desktop, .NET was their plan for domination of net commerce and secure applications.

The downside to all of this is clear I assume.

I'm glad it is presently considered a failure, I merely hope their long term investment doesn't pay off.

Re:Personally..

[Anonymous Coward]

Yes, and wallet services like Passport will eventually become moot if business merger mania continues. I mean, just imagine if Microsoft buys or is bought by a major credit-card issuer like MBNA. Then your credit card will be automatically connected with a PIN that allows you to shop on MS sites, no Passport needed.

Sound far-fetched? Media companies are buying up content companies and vice versa... US consumer spending is 2/3 GDP and is floated on credit cards. It's only a matter of time before the credit card companies start acquiring retail interests. Wal-mart + Fleet/BOA?

Re:Favorite quote from TFA

[Otter]

"Microsoft was kind of pushing Passport for a problem that didn't exist..."

I wouldn't say the problem doesn't exist -- every time a link takes me to an article at the LA Times, Chicago Sun, Telegraph or any other paper that requires me to remember some crazy new userid or to go through a lengthy registration process, there's a problem, usually solved by my deciding it's not worth it. Or bidding on eBay from the library, or...

As you say, a central repository seems like a bad solution but I'd really love to have a good one. (And, no, my having to carry everything around on a memory stick is not a good answer. For one thing, you can't just mount them anywhere.)

MS isn't giving up...

[brucmack]

I attended an MS tech talk a couple of months ago about the identity system coming in Longhorn. It seems like they are really targetting mass acceptance with that one too.

While I can't remember exactly how everything worked (hey, I was there for the food), it was basically an RSA key system, with the private key stored on ones own computer. The main MS involvement was to have some servers set up to allow one to back up their private key so they aren't screwed over if their computer crashes without a backup... and the presenter seemed confident that there would be non-MS providers of the service as well.

It seemed like a pretty neat idea anyway... There were also systems in place to allow one to deactivate their key if it was compromised. Basically one's computer could notify all of the places it had exchanged its public key with to tell them that it is no longer valid anymore. It seemed like an interesting system that took a lot of the control away from MS, as long as one trusts the OS not to beam the keys back to them :)

The only real downside was that it seemed like they weren't too keen on getting the server-side software operating on non-MS platforms. But who knows... It certainly seems to be a better solution than Passport, since there would be no fees beyond having a supported OS.

Too expensive

[truelight]

Passport has extremely high potential. I tried it out a while back... I went to Slate.com after signing up for a passport, and clicked the "Sign In" button. Now, I had never visited Slate, nor did they have any data on me prior to this. When I clicked "Sign In", that was it. I was registered. No filling out forms. No nothing. From a usability standpoint, Passport has tremendous potential.

With that said, the fees are absolutely horrendous. I checked it out - $1000/year for "small implementations", and $10000 for other. While I'm all for paying for a good solution, I can't see how having a single-sign-in solution on any website would generate $10000/year in profits.

I'm sure it would catch on like wildfire if they just lowered the fees to more manageble levels.

Oh, and buy paypal.

Re:Personally..

[CdBee]

I used to use Passport to sign into eBay UK but it failed about every other time. I ended up abandoning that account and starting a new one due to the low reliability.

I lost several good auctions thanks to that POS system!
I suspect my experience wasn't atypical and has led to this.

Re:What's .NET again?

[Gr8Apes]

.NET was originally a set of web services, then a service platform, then a server OS, then a set of services on a server OS, then a development platform, and, now, the most known .NET (because I think there's more than one, MS couldn't tell me for sure though) is the multiple language to bytecode platform/compiler.

Is it any surprise that .NET appears to be fading away? Anything that mucked up by schizophrenic marketing would have to be simply the best thing since the goose that laid gold eggs to survive. And MS's products are definitely not that. (that's not an opinion, see the recent virus outbreak reports for why - just about every major MS product's been hit in the last 6 months)

Passport's Compeitors...

[LostCluster]

Passport has gotten a lot of bad press, but there's three other major single signon systems in circulation that nobody talks about...

AOL's ScreenName Service is used on all Time Warner web properties and partners, including AIM, the Netscape sites, all of the magazines they own and EA's Pogo games site.

Disney's Go Network may have failed as a portal, but every web domain Disney owns still redirects to a subdomain of go.com such as ABC.go.com and ESPN.go.com. Therefore, there's a full network of news content, e-mail, and a few shopping sites contained there, all of which are Disney-owned properties.

Yahoo also has a full "network" of sites within the Yahoo.com domain... e-mail, an IM client, games, shopping, and let's not forget there's a serach engine there too. Yahoo lets several partners have your entire account infomation simply by offering a one-click registration into a site such as WorldWinner.com from their games section.

So, while all the bad press is being aimed at MS... several just as invasive services have quietly gained power.

Re:Only used in hotmail

[Maudib]

Yes, online banking. I hate microsoft passport, however Microsoft Money is quite good. My banks use passport to automate ms money's connection to them. The accounting, portfolio and transaction management is massively simplified thanks to passport. Granted my paranoia led me to encrypt the whole drive the MS Money files were stored on, but it is still very usefull. A level of integration was achieved here that I have not seen anywere else. It is quite excellent, and I wish there was an alternate provider.

Wrong way around

[realnowhereman]

I think the idea of single sign on is a good one. The problem is, it shouldn't be implemented on the server side. KDE's new KWallet system is a very good example of how this should work - I keep all my logons locally, encrypted, and in a trusted place - my privacy is not at any more risk than it ever was. Now, I single sign on to the KWallet system which is then used by konqueror/kopete/kmail/whatever to auto-logon whereever i go.

With a little bit of support server side (perhaps a standard way of passing logon information to HTTP servers - if the existing method is not deemed good enough) this could easily fake the entire passport system with no need for any centralised server.

Other single sign on systems exits

[DrSkwid]

here's Glenda's [bell-labs.com]

In plan9's the single sign on is a bit different as it can save credentials for your regular internet services such as ftp, ssh, vnc, pop3, imap

secstore is an encrypted file store, one of which is your factotum keys

here's some example keys (SECRET is where my password would be):

key proto=pass server=www service=ftp user=matt !password=SECRET
key proto=p9sk1 dom=outside.plan9.bell-labs.com user=mattp9 !password=SECRET
key proto=pass server=colo service=ssh user=matt !password=SECRET
key proto=vnc server=kit user=matt !password=SECRET

one can load one's passwords into a text editor and add/remove them in secstore

or do echo 'key proto=vnc server=kit user=matt !password=SECRET2' > /mnt/factotum/ctl

if they key is not present, factotum prompts you for it and remembers it while you are logged into the terminal

When you log out factotum forgets all the entries not in secstore

It's a great system, I just enter my secstore password at boot and I have passwordless access to the services I have stored.

though one tends to just hit power when you go to lunch you can just do 'kill factotum | rc' to unload all the keys and then 'ipso factoum' to load them from secstore again (i think thats how you unload them, i've never done it)

servers need not know anything about it, no .NET libs to compile against or licensing fees to pay

Re:Favorite quote from TFA

[blanks]

I don't see how having your personal information stored on hundreds and even thousands of non-central repositories would be any better......

I would feel much better with all my personal information being stored on MY machine, and having specific sites that I allow to access this information, then having my personal information stored everywhere on the net in databases, or to have passport like systems working together with site.

Re:Concept Good, at first.

[drinkypoo]

This is exactly why a service like this will never work. Much better for everyone to adopt digital certificates. They could be stored in smart cards (seems to be the defacto standard) or iButtons or whatever, you can copy them to multiple devices, and you will have to enter an optional key to access them in the first place, then the key to use them. Certs can be issued by whoever, the issuer maintains the signature and public key.

With smart card readers being installed anywhere and everywhere (Lots of PC motherboards even now have a header for one, and the slot is cheap) it seems like that would make the most sense. They're showing up on credit cards too.

Re:Favorite quote from TFA

[Mr. Piddle]

Web services are much easier to manage with a centralized authentication system (rather than dealing with many separate passwords/certificates per application).

While true in theory, I still agree that there really isn't a problem to solve, at least not with the amount of technology in Passport.

For example, having accounts on multiple sites isn't a big problem at all. As far as security goes, I set up username/password choices in tiers. Many non-essential sites get a standard username and password (a non-dictionary hard-to-guess password at that). E-mail gets an entirely different password for better compartmentalization. My home computer gets yet another password.

With three or four levels of compartmentalization, password management isn't something I lose sleep over. Also, I'd much rather each site have its own account information, so there's little chance that one site could figure out what other sites I visit.

Re:Problem that doesn't exist big time...

[mdfst13]

That assumes that you are going to go to an overall weaker system. Previously, you had $2000 total protected by $2500 worth of security. Afterwards, you have $2000 protected by $500 of security. Why did you cut out $2000 of security? Maybe that's the only option, but that is a big starting assumption.

Another issue is that while the first 10 piles may each be protected by $200 worth of security, what if they are easier to compromise in bulk? They share a user right? Chances are, you simplify the system either by sharing passwords across multiple piles or by using some consistent algorithm to generate passwords.

For example, if you share the same password across all ten, that's really $200 total of security. Once you compromise one, you've compromised all. If the user has a consistent algorithm, perhaps compromising three reveals the algorithm: that would be $600 worth of security.

Now, compare that to one system where it costs $2500 to break the single password. On that system, $200 or $600 gets you nothing. If either of the above situations occur, you would get everything even in the decentralized system. If neither applies, you still get back half the money for looking.

Another issue is password difficulty. The easiest passwords to remember are things like names and birthdays. However, these are also the easiest to crack. If I have just one password, I use it enough that I can afford to make it complicated (capitalization, numbers, characters, long, etc.). If I have many, I need them to be relatively simple. Heck, if I just string my 20 passwords together, that doesn't increase the difficulty in an additive fashion but in an exponential or at least factorial (there are 20! ways to arrange 20 passwords) fashion. Maybe instead of $2500 security I now have $12,500 of security.

Another example. I am willing to carry one random number generator as a key chain. I am not willing to carry twenty. See what I mean? There are things that a single system can do that multiple systems can't.

Given the assumptions, the statement is quite correct. I'm just not convinced that the assumptions will always hold.

get passport passwords with credentials, today!

[tota]

What a coincidence, a co-worker (seating just across my desk) could not get in to his hotmail account today, but he could get in to another ms server so he called support and told them that somehow he knew his password but the hotmail site wouldn't take it.

Guess what, they told him his new password over the phone, without asking for a single proof of identification!

When he asked them if, maybe they were supposed to check his identity first, he got nowhere (something like "thanks, noted" - I couldn't hear the other end of the conversation at this point)

That's trusted computing?

Trusts who?

Not sure how MS works, but

[mdfst13]

I'm not sure how the Microsoft version works, but if I were implementing something like this, I would never allow logins to come from the site. Instead, I would require the site and user to log in to my system separately. Then I would give them a unique identifier or something to check if the user is logged on to the central system.

For example, I might create two unique encryption/decryption key pairs and give one decrypt to the site and the corresponding encrypt to the user and give the other decrypt to the user and the corresponding encrypt to the site. Now they can communicate safely with private key encryption.

Note that neither the site nor the user ever has login info for the other. Remember to discard the keys when done.

A side effect of this is that instead of getting a login page when you try to connect to a site using the system when you are not logged in, you would get an error page (you are not logged in; please go to the appropriate place and log in). This would be mildly inconvenient but much more secure.

Re:It 's a lot like

[krray]

.Mac I use though. The absolutely wonderful video chat with your auto-AIM account helps (though you can get a free AIM account and go to town too).

Moving from the Mac @ home to the laptop to the Mac at the office ... there's nothing like having all your mail on IMAP servers, identical bookmarks in the browser, identical address book entries, identical calendars (of course this all also goes on the iPod for easy use on the road :).

Heck, once in a while I'll find I'd like to quickly move a few dozen work .DWG files. Sure, I could email them to myself, but I can also just drop them on my iDisk. Locally cached and seamlessy implemented. Don't knock it until you try it...

I also use the @Mac.com address for administrative type email (of course auto-filtered as well) -- with another home email and work email address available. All separated, but all also the same "Inbox" -- everywhere. It's a backdoor way to reach me if you've been blocked accidently on the over aggressive spam filtering _I_ do @ work and @ home. Well worth the $100/yr IMHO.

Yeah, there's also free virus software included, but what for? To scan YOUR Windows files? I don't bother...

Passports generate spam

[quoll]

Last year we took on a Windows programming contract, so I went ahead and bought an MSDN subscription. In order to log into the online stuff I needed a .Net passport, and this required an email address.

The address I gave had been around for 3 years and had never received more than a couple of spam messages a week. Within 24 hours of getting the .Net passport that email address was getting over 20 spams a day, and it has grown significantly since then. (Thank goodness it wasn't my primary email account!)

Conclusion: either the passport user list is being sold, or security is nonexistent. Either way this is not a system anyone sane person would subscribe to!

Why don't browsers do this?

[MikeFM]

Why do we need something like passport? Shouldn't browsers provide this functionality. Or instead of username password combos why can't we authenticate using a single secret key that the user need only remember? Hash the secret key and a seed from the website. Send the hash to the sites to authenticate the user.

Example:
User's Passphrase: My dog is brown.
User's hash: 87c5630aaae21c773ea493aab54022b2
Site's domain: kavlon.org
Site's Passphase: Red Rover, Red Rover.
Site's hash: b4d1fe9cf7b3860a50ec7f21a2c09bb3
Combined hash: kavlon.org87c5630aaae21c773ea493aab54022b2b4d1fe9c f7b3860a50ec7f21a2c09bb3
Unique hash: e833a1237ac1afcaeed8f91139dc8e53

So neither the user nor the site admin need know their hash.. just their passphrase. The site never needs to know the user's private passphrase or hash. The only code the site needs to know is the unique hash which is specific to just that site. Using a one way hash (this used md5's) it's impossible to brute force calculate the value of either passphrase or hash (although obviously the site's hash is public). Because the combined hash uses the site's domain and the browser verifies that domain there is no way for another site to trick the browser into giving it the unique hash for another site.

With something like this the user only need to remember a single pass phrase and they could type it just once per session on any browser with any website. No doubt there are problems with it but it could be improved and then I think it'd be easier than something like Passport.

Re:Favorite quote from TFA

[bonhomme_de_neige]

For example, having accounts on multiple sites isn't a big problem at all.

The problem isn't remembering your passwords (you have local password managers for that, such as the one built into Mozilla, which are much more secure simply because your home PC would need to be compromised to even begin cracking at the password list... that is assuming you keep your home PC reasonably secure). The problem is signing up to all those sites. Each time you have to fill out a form, wait for an activation email, then activate your account, etc. etc.

If your sole purpose for creating an account was to post a comment on some forum, which you more than likely will never want to post on again in your life, then there's a good chance that you'll just say "fuck it" and whatever you wanted to say will go unposted. But if instead of going through that pain you can just click the "Log me in with Passport" button and then post your message, it's a lot more likely to end up posted.

I've found myself in this situation on several software support forums, where I was looking for a solution to some problem, and someone else had already posted the same problem, but it had not been answered. After I work out how to solve it by myself, often I want to be nice and post the solution, but the effort of creating an account essentially for someone else's gain is simply too much (I'm not an altruist ;p)

The reason Passport failed (apart from the ones cited already) is simple: trust. In order for such a service to work people have to trust the organisation they're giving their personal info to. This already rules out Microsoft as a viable implementor of such a program - how many people genuinely trust MS enough?