Slashdot Mirror
Passport to Nowhere
prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."
"Microsoft was kind of pushing Passport for a problem that didn't exist..."
I think that more or less hits the nail on the head. This is aside from the downtime issue, which is embarassing, and privacy issues, which are disturbing. On the privacy/downtime note, the Liberty Alliance may be vapor currently, but the idea of a "federated" system sounds much better to me. It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.
No sir, that's bad sauce.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
I never saw a need for .NET Passport in any way. Privacy issues aside, all Passport would achieve for the company using it is something they could already do with simpler, more secure, and less liable technologies already available to them.
Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime
Yet they still buy windows...
I mean, doesn't "competing heavily" imply that there's, well, an active competition in the first place?
Obliteracy: Words with explosions
It is widely pulicized now how to manage passwords for a website -- it's as simple as using other Microsoft tools, and so in a way, passport puts itself out of business by competing poorly with other Microsoft products. Why would anyone not just use an NT auth login, ASP, or one of the myriad of other ways to do a sign-on. The only place I see passports now is places where Microsoft already had a majorly vested business interest. Passport should go right up there with Microsoft BOB , IMHO.
stuff |
I actually created a passport login to see how many places they would use it and if it would be beneficial. Thus far I have only seen it used with Hotmail and on the MSN site. Have any others seen it used on other non-Microsoft sites?
I like the concept of passport, but I'm not going to get in bed with Microsoft to put it on my web servers. Besides, it has always seemed to me that doing a scheme like that would introduce so many more points of failure to your web system, that it wouldn't be worth the trouble. That's not to mention security. Somehow I just feel safer when I have to log in to each site separatly.
SCO.com uses Linux
Liberty Alliance project, which so far has produced just large amount of PDF files
Which is all they intended to produce. Technically Liberty Alliance is a spec, not an implementation.
Now if you are asserting that there are no implementations, the SourceID people would probably disagree with that.
Finkployd
1. I have yet to meet someone who actually has (let alone uses) a .NET Passport.
2. If you are thinking about replying to this message with "I Do!", then I probably won't meet you, so see 1.
If you're not part of the solution, you're part of the precipitate.
At first, the concept of a global authentication system seems great. We all have too many passwords to remember, the idea behind Passport seems great.
But in reality, there isn't anyone who is secure enough, trustworthy enough, powerful enough and smart enough to pull off a system that would work and would be trusted.
You need to have the strength and power to be able to build such a system, and with those, trust invariably goes out of the window.
So for now I'll keep all my passwords in my brain, and pay the price of my mistrust.
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
...isn't such a chore that we would need a freakishly-complex infrastructure to save us a couple of keystrokes.
Interesting claim. Care to, you know, back it up with something?
Interesting claim. Care to, you know, back it up with something?
Back it up? You must be new here.
Hello? It's not very easy to imagine a site that's willing let a third party handle customer information for free.
Most companies aren't even willing to tell you how many customers they have, much less let you collect personal information about them.
-- this is not a
What's to prevent me from copying their pretty gif and collecting people's logins/passwords?
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I attended an MS tech talk a couple of months ago about the identity system coming in Longhorn. It seems like they are really targetting mass acceptance with that one too.
:)
While I can't remember exactly how everything worked (hey, I was there for the food), it was basically an RSA key system, with the private key stored on ones own computer. The main MS involvement was to have some servers set up to allow one to back up their private key so they aren't screwed over if their computer crashes without a backup... and the presenter seemed confident that there would be non-MS providers of the service as well.
It seemed like a pretty neat idea anyway... There were also systems in place to allow one to deactivate their key if it was compromised. Basically one's computer could notify all of the places it had exchanged its public key with to tell them that it is no longer valid anymore. It seemed like an interesting system that took a lot of the control away from MS, as long as one trusts the OS not to beam the keys back to them
The only real downside was that it seemed like they weren't too keen on getting the server-side software operating on non-MS platforms. But who knows... It certainly seems to be a better solution than Passport, since there would be no fees beyond having a supported OS.
Passport has extremely high potential. I tried it out a while back... I went to Slate.com after signing up for a passport, and clicked the "Sign In" button. Now, I had never visited Slate, nor did they have any data on me prior to this. When I clicked "Sign In", that was it. I was registered. No filling out forms. No nothing. From a usability standpoint, Passport has tremendous potential.
With that said, the fees are absolutely horrendous. I checked it out - $1000/year for "small implementations", and $10000 for other. While I'm all for paying for a good solution, I can't see how having a single-sign-in solution on any website would generate $10000/year in profits.
I'm sure it would catch on like wildfire if they just lowered the fees to more manageble levels.
Oh, and buy paypal.
.NET was originally a set of web services, then a service platform, then a server OS, then a set of services on a server OS, then a development platform, and, now, the most known .NET (because I think there's more than one, MS couldn't tell me for sure though) is the multiple language to bytecode platform/compiler.
Is it any surprise that .NET appears to be fading away? Anything that mucked up by schizophrenic marketing would have to be simply the best thing since the goose that laid gold eggs to survive. And MS's products are definitely not that. (that's not an opinion, see the recent virus outbreak reports for why - just about every major MS product's been hit in the last 6 months)
The cesspool just got a check and balance.
No, I'm New Here
The problem with the whole concept in general to me is security.
Company A holds your credit card information and controls the sign up system.
Company B You make purchases through there system, credit card details are pulled from company A, your happy
Slap on 100 Company B's each with the ability to pull your credit card data so you can make purchases.
You now have 100 new possible locations for a hacker to crack, giving them access to a massive database of credit card data.
A chain is only as strong as its weakest link. The more merchants you add to this style system, the better change your chain will break one day.
Personal Website
Passport has gotten a lot of bad press, but there's three other major single signon systems in circulation that nobody talks about...
AOL's ScreenName Service is used on all Time Warner web properties and partners, including AIM, the Netscape sites, all of the magazines they own and EA's Pogo games site.
Disney's Go Network may have failed as a portal, but every web domain Disney owns still redirects to a subdomain of go.com such as ABC.go.com and ESPN.go.com. Therefore, there's a full network of news content, e-mail, and a few shopping sites contained there, all of which are Disney-owned properties.
Yahoo also has a full "network" of sites within the Yahoo.com domain... e-mail, an IM client, games, shopping, and let's not forget there's a serach engine there too. Yahoo lets several partners have your entire account infomation simply by offering a one-click registration into a site such as WorldWinner.com from their games section.
So, while all the bad press is being aimed at MS... several just as invasive services have quietly gained power.
Every registration-requiring service of Google nicely collects no more infomation than it needs to, but there also seems to be very little support for cross-linking registrations from one service to another. As a result, they have distinct logon screens for...
- AdWords
- AdSense
- Google API
- SiteSearch / Websearch
- Blogger
They just keep adding new services, but there's no sign of any unity coming...
I think the idea of single sign on is a good one. The problem is, it shouldn't be implemented on the server side. KDE's new KWallet system is a very good example of how this should work - I keep all my logons locally, encrypted, and in a trusted place - my privacy is not at any more risk than it ever was. Now, I single sign on to the KWallet system which is then used by konqueror/kopete/kmail/whatever to auto-logon whereever i go.
With a little bit of support server side (perhaps a standard way of passing logon information to HTTP servers - if the existing method is not deemed good enough) this could easily fake the entire passport system with no need for any centralised server.
Carpe Daemon
For each web site I visit, I have a user ID and then make up a 10 character random password. That's stored in a text file on my laptop which is then encrypted with PGP. When I need to log in to a site, I unencrypt the file, copy/paste the password into the browser, and wipe the file. This is a few more steps than what MS Passport does but is infinitely more valuable to me in making me feel my passwords are relatively secure. BOTH solutions rely on one password to protect all my accounts, but at least in my solution it's a 20-character phrase stored my head instead of one stored in Redmond.
They have the Internet on computers now?
What works well is Apple's Keychain idea.
If you want, all of your passwords (web sites, iDisk, e-mail, etc) are all stored in your encrypted keychain on your computer. When you login and authenticate your primary keychain is unlocked, allowing programs that stored passwords to access them. Programs cannot access others' passwords without your consent (in the form of "The application blah wants to access your keychain. Do you want to allow this?"). As would be expected, the whole shebang is encrypted on disk, I believe with AES. Finally, if you don't want all of your passwords in one spot, you can create multiple keychains (e-mail accounts, financial sites, other web sites) and unlock them only as needed.
It's all local, all secure, very flexible, and by default so easy it's completely transparent.
I don't know what kind of crack I was on, but I suspect it was decaf.
I'm not sure how the Microsoft version works, but if I were implementing something like this, I would never allow logins to come from the site. Instead, I would require the site and user to log in to my system separately. Then I would give them a unique identifier or something to check if the user is logged on to the central system.
For example, I might create two unique encryption/decryption key pairs and give one decrypt to the site and the corresponding encrypt to the user and give the other decrypt to the user and the corresponding encrypt to the site. Now they can communicate safely with private key encryption.
Note that neither the site nor the user ever has login info for the other. Remember to discard the keys when done.
A side effect of this is that instead of getting a login page when you try to connect to a site using the system when you are not logged in, you would get an error page (you are not logged in; please go to the appropriate place and log in). This would be mildly inconvenient but much more secure.
First of all, as others in this thread are already pointing out, the security issues are problematic, to say the least... you want to store all that financial information in a Microsoft server, with Microsoft's terrible security record? No, thanks.
Second, Microsoft already has a ridiculous amount of power over the lives of the ordinary consumer, and the ordinary consumer knows it and deeply resents it. Even if they're not technically literate enough to be able to use non-MS products regularly, they still don't want to give Billgatus of Borg any more power over them than they absolutely have to.
Related to that, Passport is designed to force people to use MS products. I have a Passport ID (which I created only because I have friends on MS Messenger, not because I wanted to), and it's nothing but one solid headache. Just as an experiment, I've tried to log in to a number of sites with Passport using my regular browser, Safari, and it never works. It works fine in Internet Explorer, though -- gee, you don't suppose MS purposely designed it not to function with any browser other than its own, do you? Nah... I mean, they've never done anything like that before...
I used to work helpdesk for Microsoft. Well it was another company that they contracted, but anyway. After doing Win98 support I got moved to multimedia and games. Part of that support was for Asherons Call.
Asherons Call (when it originally came out) used the MSN Zone login system to keep track of whos in the game, who has accounts, etc. Probably a year or so later, they (being Microsoft) decided that it would be better of all of the MSN Gaming Zone went to passport instead of using their own login system. When this first went thru, the passport servers got hammered, and people were unable to make passport accounts. Most of these people that were making new accounts were because of Asherons Call. Then the real troubles began.
First, they had it setup so only one active Asherons Call account could be tied to a passport. Sure, you could have multiple accounts under one passport, but you would have to go to the Asherons Call website each time you wanted to use a different account, and change that info on the webpage. (What pretty much happens is you login to passport when you go to the AC page, and then you go into the game, you dont put another password or anything in the actual game interface). So, when you logged in, it just used the "active" AC account tied to the passport you used. This really isn't a big deal for those who have just one account, but there was a lady who called in with 22 AC accounts. Don't ask me why she had so many, people get a little crazy with these games I guess. So, for her to be able to easily login to each one of those accounts, she would have to create 22 seperate passport accounts. So much for the "single sign in system" that they like to tout so much.
Second, the MSN Gaming Zone, and Microsoft are pretty much 2 seperate companies. They don't really share much info behind the scenes (im talking support wise). So, when someone called me up, they would say they couldn't login to Asheron's Call. I would have them go thru the process of making a passport account. At times, the passport account creation wouldn't go well, and Microsoft (at least at that time) had not a single person who could really help me with the passport system at all. There really isn't a phone extension I could have called to get more info, i just had to like figure it out on my own. Not something I dont think really should be done in a big support deal. Anyway, walk the person thru creating the passport account, and then going in and linking the AC account with the newely created passport account. For the few weeks after they decided to do this, it was the worst that you could think of, having to fix that 20 times in a day. It wasn't really our problem (games and multimedia) but they didn't have anywhere else for them to go.
Ok, so that said, I couldn't imagine what a seperate company would get in terms of support when trying to, lets say, integrate passport into thier website. I was representing myself as a Microsoft employee and I couldn't really find anyone to help fix problems with passport, and I was access to the full MSKB (one of the cool things they have, even if it is all just text)Eventually we got some tools towards the end of my days that we could look up what account was tied to what passport, but it really didn't matter much because all the problems we had with it were pretty much taken care of. As a side note, if you were to call them up today, you would be talking to someone in India.
Last year we took on a Windows programming contract, so I went ahead and bought an MSDN subscription. In order to log into the online stuff I needed a .Net passport, and this required an email address.
The address I gave had been around for 3 years and had never received more than a couple of spam messages a week. Within 24 hours of getting the .Net passport that email address was getting over 20 spams a day, and it has grown significantly since then. (Thank goodness it wasn't my primary email account!)
Conclusion: either the passport user list is being sold, or security is nonexistent. Either way this is not a system anyone sane person would subscribe to!
Time to clear this up.
1) Liberty Alliance protocols aren't about setting up a single auth provider that the world uses to authenticate you: It's a way of businesses and sites to create an agreement to allow each other to cross-login, or to support logins from foreign systems. Any site wishing to turn its login system into an Identity Provider is free to do so - other sites can then use that federated identity.
2) Liberty Alliance protocols don't require that one central identity hold all information. Each service provider has a local account which can hold information specific to that service without requiring your private information to be shared indiscriminately.
You can Liberty-enable a set of websites today. This can be done transparently to users, and is about businesses sharing sign-ons and authentication information without actually having to share your data. Site X doesn't need to have your account information, or your password; it can find out from the identity provider enough information to know whether you've been authenticated, or direct you over to them to authenticate safely.
Read the docs, folks. It's not Passport. It's not even really *like* passport, in its intended use. It's real, it's implementable, it serves a real purpose, and it's going to be BIG.
-- A mind is a terrible thing.