Microsoft Opens Up Windows Live ID

randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."

Re:How long

[macbort]

Google and Yahoo have both been offering similar services for awhile now, I believe, and I don't remember hearing either of them having this problem. Not to say it couldn't happen, but I imagine they've thought about this situation and have accounted for it somehow.

Got it backwards.

[twitter]

before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.

Hmmm, massive FUD has much inertia. First, intelligent people have known for a long time not to trust M$ with anything. This has harmed the online economy, but that's a different story. If the 25% prevalence of keyloggers is not enough, a rogue site has been able to harvest Passport IDs forever, because IE can be resized, reshaped and made to look like whatever the rogue site wants it to. Firefox puts a stop to menu hiding and resizes, but Mozilla.org can't save you from a key logger.

Article placement

[Infonaut]

Is it just me, or does placing this article directly above the Diebold rebranding article make you think of a theme common to both? Company loses credibility. Keeps trying to regain it, but still doesn't grok that you can't just make it *look* like you've changed your spots. You actually have to change your behavior, and regaining credibility takes a lot longer than destroying it does.

CardSpace?

[ZSO]

Does this mean they've given up on CardSpace, which is built into Vista right now? I thought it was a much better solution to the need for single sign-on. Check out thechannel9 video.

My old single sign-on method

[ls671]

I use 3 passwords for all sites I access mapping to 3 levels of trust. I try to use the same user id when possible :

Level 1 : risky

Level 2 : less risky

Level 3 : almost trustable

For sites that I really trust (banking, etc...) I use dedicated passwords. I, also, can forecast problems with a single sign-on scheme that would be more or less like giving away your social security number if hacked.

I have been working on this problematic before for big organizations and one conclusion we came up with was that we needed to re-use the old assembly language "indirection" principle, called pointers in higher level languages.

So basically, one has to be able to authenticate with multiples set of usernames/passwords combinations. Once the unique user is authenticated, the central authentication authority limits its role to just that, authenticating the user.

All authorization is managed by the local system that interacts with the user.

Do a search for MBUN on Google. In Canada, a user can have multiple MBUNs to deal with the government. This solution was implemented to cope with privacy concerns and still allow the citizen to deal with the government with the same level of privacy that was previously achieved with paper forms. Basically, what has been done is creating a mapping between the MBUN and the real userid and the choice has been given the citizen to have as many MBUN as he wishes to deal with the government.

Serious concerns should apply to too simplistic solutions ;-) Now for all /. MS bashers to enjoy : Although a qualified partner in the project, none of MS products where used to implement the solution. Given the money and the visibility at stakes, this caused a commotion in Canada with MS canadian VP putting pressure on everybody to reverse the decision.

Hey Sam, your products are just too simplistic and too proprietary. Phone us next year please ;-) That was really funny, the guy just couldn't understand that Macdonald's like marketing techniques did not work in this case. I mean, they even flew us for a week to Redmond at the campus to try to brainwash us, but still no go for MS.

-ls

Re:OpenID

[shish]

From a brief look, it seems considerably easier to implement and run; for clients, servers, and end users. I've had OpenID support on my webapp to-do list for months, and I'm considering implementing this in an afternoon. However, the fundemental design is worse :-/

OpenID could really do with a for-dummies API...

Re:It's much easier than that

[discHead]

You forgot the part about keeping a sharply-peeled eye and making sure you are being served by live.com and not 1ive.com (with a numeral 1).

Re:OpenID

[4thAce]

I hope that it could be one of the supported URL-based identity protocols under Yadis too.

Rich

The concept never convinced me

[mrjb]

The 'one password for everything' concept is fundamentally broken. It is like having one key for everything you own- your house, your car. During a vacation, I *want* to be able to give the housekeeper access to my house, but I also want to *prevent* her from going for a joyride in my brand new expensive car. The fact that I have neither a housekeeper nor a brand new expensive car is a minor detail.

MS ignores Python style guide

[abecede]

It is just sad to read the Python implementation of this functionality. Almost nothing is written according to the Python Style Guide. Weird "__foo"-variables can be found, then it's not Python2.3 compliant because of ONE silly "staticmethod", many "getters" and "setters" which are just useless in this script. If MS wants to show their code to the scripting community, they should at least make it pretty and according to the language's coding standards. But maybe that is their understanding of "pretty". Who knows.