Passport to Nowhere

prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."

Favorite quote from TFA

[Liselle]

"Microsoft was kind of pushing Passport for a problem that didn't exist..."

I think that more or less hits the nail on the head. This is aside from the downtime issue, which is embarassing, and privacy issues, which are disturbing. On the privacy/downtime note, the Liberty Alliance may be vapor currently, but the idea of a "federated" system sounds much better to me. It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.

No sir, that's bad sauce.

Re:Favorite quote from TFA

[TrentL]

I just use a dummy password for all those newspapers anyway. I let the browser remember it.

Oh, and I'm not a 65-year old CEO living in Ethiopia, but don't tell that to the Washington Post.

Personally..

[Caedar]

I never saw a need for .NET Passport in any way. Privacy issues aside, all Passport would achieve for the company using it is something they could already do with simpler, more secure, and less liable technologies already available to them.

Hmmm

[Anonymous+Crowhead]

Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime

Yet they still buy windows...

Only used in hotmail

[sapped]

I actually created a passport login to see how many places they would use it and if it would be beneficial. Thus far I have only seen it used with Hotmail and on the MSN site. Have any others seen it used on other non-Microsoft sites?

Just PDF files?

[finkployd]

Liberty Alliance project, which so far has produced just large amount of PDF files

Which is all they intended to produce. Technically Liberty Alliance is a spec, not an implementation.

Now if you are asserting that there are no implementations, the SourceID people would probably disagree with that.

Finkployd

Concept Good, at first.

[jolyonr]

At first, the concept of a global authentication system seems great. We all have too many passwords to remember, the idea behind Passport seems great.

But in reality, there isn't anyone who is secure enough, trustworthy enough, powerful enough and smart enough to pull off a system that would work and would be trusted.

You need to have the strength and power to be able to build such a system, and with those, trust invariably goes out of the window.

So for now I'll keep all my passwords in my brain, and pay the price of my mistrust.

Jolyon

Too expensive

[truelight]

Passport has extremely high potential. I tried it out a while back... I went to Slate.com after signing up for a passport, and clicked the "Sign In" button. Now, I had never visited Slate, nor did they have any data on me prior to this. When I clicked "Sign In", that was it. I was registered. No filling out forms. No nothing. From a usability standpoint, Passport has tremendous potential.

With that said, the fees are absolutely horrendous. I checked it out - $1000/year for "small implementations", and $10000 for other. While I'm all for paying for a good solution, I can't see how having a single-sign-in solution on any website would generate $10000/year in profits.

I'm sure it would catch on like wildfire if they just lowered the fees to more manageble levels.

Oh, and buy paypal.

Re:No thanks

[AnotherBlackHat]

I like the concept of passport ...

The entire concept is flawed from the get-go.

If I wanted my passwords stored on a computer, then I might as well do away with them completely.

But assuming I did want to to store my passwords on a computer, I'd want them on my computer.

And if for some reason, I wanted to store them with a third party, I wouldn't want the storage to be a single sourced service.

And if was willing to accept a single sourced service, I still wouldn't want that source to be Microsoft.

And assuming you get past all of the above, you still need to convince the vendor that it's good for them too - and you'll need to convince a lot of them to make it worth while.

-- this is not a .sig

Re:What's .NET again?

[Gr8Apes]

.NET was originally a set of web services, then a service platform, then a server OS, then a set of services on a server OS, then a development platform, and, now, the most known .NET (because I think there's more than one, MS couldn't tell me for sure though) is the multiple language to bytecode platform/compiler.

Is it any surprise that .NET appears to be fading away? Anything that mucked up by schizophrenic marketing would have to be simply the best thing since the goose that laid gold eggs to survive. And MS's products are definitely not that. (that's not an opinion, see the recent virus outbreak reports for why - just about every major MS product's been hit in the last 6 months)

Re:Problem that doesn't exist big time...

[Jerf]

The idea of Single Sign-On is to put all of your eggs in one basket, then make sure it's a really good basket. Nobody trusts Microsoft to make that really good basket, but it doesn't mean that they're not trying to solve a real problem. It's a tricky one, because the trust factor is scary, and the stakes are very high.

The most recent Cryptogram has a highly relevant comment on this issue:

[Suppose t]here are 10 $100 piles, each secured by individual $200 security systems. They're all secure. There are another 10 $100 piles, each secured by individual $50 systems. They're all insecure.

Clearly something must be done.

One suggestion is to replace all the individual security systems by a single centralized system. The new system is much better than the ones being replaced; it's a $500 system.

Unfortunately, the new system won't provide more security. Under the old systems, 10 piles of money could be stolen at a cost of $50 per pile; an attacker would realize a total profit of $500. Under the new system, we have 20 $100 piles all secured by a single $500 system. An attacker now has an incentive to break that more-secure system, since he can steal $2000 by spending $500 -- a profit of $1500.

The problem is centralization. When individual security systems are combined in one centralized system, the incentive to break that new system is generally higher. Even though the centralized system may be harder to break than any of the individual systems, if it is easier to break than ALL of the individual systems, it may result in less security overall.

There is a security benefit to decentralized security.

Passport's Compeitors...

[LostCluster]

Passport has gotten a lot of bad press, but there's three other major single signon systems in circulation that nobody talks about...

AOL's ScreenName Service is used on all Time Warner web properties and partners, including AIM, the Netscape sites, all of the magazines they own and EA's Pogo games site.

Disney's Go Network may have failed as a portal, but every web domain Disney owns still redirects to a subdomain of go.com such as ABC.go.com and ESPN.go.com. Therefore, there's a full network of news content, e-mail, and a few shopping sites contained there, all of which are Disney-owned properties.

Yahoo also has a full "network" of sites within the Yahoo.com domain... e-mail, an IM client, games, shopping, and let's not forget there's a serach engine there too. Yahoo lets several partners have your entire account infomation simply by offering a one-click registration into a site such as WorldWinner.com from their games section.

So, while all the bad press is being aimed at MS... several just as invasive services have quietly gained power.