Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Loses Passport

Posted by michael on from the apply-at-consulate-for-new-one dept.

nikkoslack copies and pastes: "Microsoft is abandoning one of its most controversial attempts to dominate the Internet after rival companies banded together to oppose it and consumers failed to embrace it. The Redmond software company said Wednesday it would stop trying to persuade Web sites to use its Passport service, which stores consumers' credit-card and other information as Internet users surf from place to place."

12 of 271 comments (clear)

  1. It's often implemented without https by HawkinsD · · Score: 5, Informative

    Thank God.

    I realize that it's probably the fault of the implementer, and not the technology, but I can't tell you how many times I've supplied my password to a page that was rendered without https.

    So I had to get two Passport accounts: one for secure things, like my MSDN account, and one for things that I didn't care who stole my password for.

    --
    Never attribute to malice that which can be explained by mere idiocy.
    1. Re:It's often implemented without https by Dr.+Evil · · Score: 5, Informative

      Often the page is sent in the clear, but the submit action is an https link.

      Not that I think that such behaviour is good practice... just that it might very well have been encrypted.

    2. Re:It's often implemented without https by Dwonis · · Score: 2, Informative
      if I submit a form with informatin to https://blah.com/secret.cgi?this=password;that=por no I can still see where that trafic went because the ssl transaction hasn't started yet.

      I think you're thinking of the subject line of encrypted email messages. In HTTPS, SSL negotiation happens as soon as the TCP connection is established, i.e. before requests are made.

  2. Not Totally Abandoned by p0 · · Score: 5, Informative

    Microsoft will still use Passport for MSN services like Hotmail.

    --
    This is my sig. There are thousands more, but this one is mine.
  3. Re:no trust... no passport by jcr · · Score: 2, Informative

    I'd say that Passport's failure has much more to do with web sites realizing that Passport really didn't offer them much, and cost them quite a bit.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  4. Re:A few years down the line ... by finkployd · · Score: 4, Informative

    You don't really know much about liberty alliance do you? It is a federated identity management service, using OASIS's SAML to assert authentication status and attributes, not like passport's "store everything in one place" service.

    It is also licensed such that MS cannot modify or extend it in a way that is interoperable with the spec (which would make it useless anyway).

    Finkployd

  5. Misconceptions by RupW · · Score: 5, Informative
    The Redmond software company said Wednesday it would stop trying to persuade Web sites to use its Passport service, which stores consumers' credit-card and other information as Internet users surf from place to place."

    • Passport does not store your credit-card details any more. You had to opt in to passport's Wallet service to do this. Microsoft discontinued Wallet a long time ago.
    • You do not have to provide any personal details to Passport. If you do, you can refuse Passport permission to pass them on to other sites. In this case, all the end sites get is your 64-bit user ID.
    • End sites cannot store information in your Passport account. The API is one way only. To alter the details in your Passport you have to go to passport.net
    • Passport is a trusted third-party for authentication. You don't log into any passport-enabled site directly; they redirect you to a secure page on passport.net (often with some source-site branding) and Passport redirects you back to them once you've logged in.
    • Passport absolutely DOES NOT "store your passwords". A few people said this in the eBay story's comments (!). Come on people, we're supposed to be tech-savvy here.

    I'm almost sorry to see it go - it was a usable, simple to integrate single-sign-on with a big name, money and a fair critical mass behind it. Shame the entry price was so high.
  6. Re:Not surprising by ian13550 · · Score: 2, Informative

    Besides, there's no push for businesses to either adopt single-sign-on services, or for customers to want it.
    Businesses require flexibility when it comes to user authorisation and profiles that 3rd-party services cannot offer.

    Wow -- you really haven't been paying attention. Passport was AUTHENTICATION only (WHO you are) and not AUTHROIZATION (what you can ACCESS). Partner sites could always control what Passport users had access to.

    Also, there is a very real need for this type of technology. Case in point: Companies who partner/outsource various business functions to 3rd party providers. For example, my last company I worked for (*cough* Big 4 *cough*) had 3rd party providers for travel bookings, 401(k), etc. While they didn't use Passport, they implemented another technology solution to share AUTHENTICATION data with the partner site so that employees did not have to log in twice (or more) during their Session to complete their daily transactions.

    You'll also see this SSO/Affiliate/Federated technology being used to SSO people between different websites/infrastructures of HUGE corporations where each business unit is maintaining their own infrastructure and user stores. Hell, ATT/Cingular could create SSO between their two infrastructures using this -- same company (now) and 2 different sytems.

    MS gave SSO a black-eye with Passport. Many, many, many different types of companies are looking to integrate authentication data between systems while still "owning" their user's data.

  7. Re:no trust... no passport by hugesmile · · Score: 3, Informative
    A friend of mine - yeah, that's it.. a friend - runs a website that has a registration process, whereby people create their own accounts and passwords. To my amazement (my friend tells me that...) the vast majority of users sign up and provide an email address and password that is obviously the same password used elsewhere around the internet. With this password, my friend can easily retrieve / delete people's email, access some paypal accounts, and sign into other common services around the net.

    Good thing my friend is ethical! I can't emphasize enough - USE A DIFFRENT PASSWORD FOR EACH WEBSITE, such that no DB Admin from one site can guess your other passwords!

  8. Re:what about liberty alliance? by lamona · · Score: 2, Informative

    Yes, according to their web site they are. And the Internet2 community (mainly universities) is developing a way for its users to interact anonymously with online sites that require an identity. It's called Shibboleth . The weak spot in "Shib" is that it relies on the university's LDAP server to determine your status, but the identity that goes out across the net is regenerated for each new use and is short-lived. This wouldn't work for purchases, but it can define you as a legitimate subscriber to a service once you have signed on.

    "If you build this technology, they will require it." David Sobel, CFP 2000

    --
    I just read /. for the amusing .sigs
  9. Re:A few years down the line ... by RupW · · Score: 2, Informative

    What do people refer to when they say "tin-foil hat"? Seriously, I don't know, and I found no definition of that jargon.

    Tin-foil hat article in Wikipedia.

  10. Re:no trust... no passport by happyemoticon · · Score: 2, Informative
    The customer, the one with no computer knowlegde, faced a monopoly, he had no choice. And he would probably have followed the same path if he was presented alternatives. (Unix never focused on jo six-pack; Mac did well but was more expensive). Until now, MS was the only choice for Mr. Customer.

    I would chalk up another thing: Most people 25-40 barely know what an operating system is, let alone know it is replaceable. Most people 14-25 aren't that far ahead. Since I've been using computers since I was 8, this comes as a shock to me, and I think it's something often overlooked by geeks.

    For example, even a rather computer-literate librarian I know thinks, "You buy a PC, it runs Windows; you buy a Mac, it runs MacOS; you buy a Sun server, it runs SunOS." When I started talking about FreeBSD and Linux, she looked at me as if I was talking about turning her Vespa into a dishwasher. They don't get that PCs are designed to be open, and all you have to do is write GRUB to the MBR, and it WILL boot up. This is one of the biggest challenges facing the open-source movement. Look at the sticker on my girlfriend's Dell: "Designed for Microsoft Windows XP," which in many respects is a fallacy, but customers often interpret it as "Designed ONLY for Microsoft."

    Computers are presented like a calculator, a typewriter, a gaming station, an Internet access point.

    Absolutely. (If you weren't a geek) you wouldn't think of an "operating system" with respect to your calculator, would you? How many computer users do you think know how an IC works? They're still operating from the abacus metaphor. And http://www.cryptonomicon.com/beginning.html has some good stuff in it regrading this kind of false metaphor.