Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Opens Up Windows Live ID

Posted by CowboyNeal on from the ready-for-the-masses dept.

randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."

10 of 212 comments (clear)

  1. Re:So what? by pembo13 · · Score: 5, Insightful

    They changed the name

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  2. Re:How long by jamesh · · Score: 5, Insightful

    I would love to have a 'single sign-on' and forever forget the hassle of remembering and entering passwords, but the flaw you mention and many others mean I don't think it will ever work. The value of pwning someone's 'single sign-on' code (whether it is Microsoft or some other solution) is just too high.

    If a 'single sign-on' became everyone's only method of authenticating to anything, then it would make identity theft just too easy.

    You can go to extreme lengths to protect all the sign-on pages in the world, but as long as there are people who will click on a 'your account will be deleted in 2 days unless you go to http://i.am.going.to.steal.your.identity.com/verif y.php' link in an email, none of it matters.

    I can't think of any way of preventing that problem without there still being the possibility of a "man in the middle" attack...

  3. Re:How long by SgtChaireBourne · · Score: 5, Informative

    [How long] Until the first site with a fake passport login form shows up? ...

    It doesn't matter so much, it's not like MS WLID, formerly known as MS Passport can ever be made secure. It's fundamentally flawed from the design.

    However, all the bad press was about MS Passport, so a simple name change and, Voila, no bad press about the product. Palladium was sanitize the same way.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
  4. It's much easier than that by QuantumG · · Score: 5, Insightful

    Go to Hotmail. You will see that Hotmail now requires you to login with Windows Live ID. Now, take a look at this page. It's a login page. They want you to enter your ID and your password. This is what gives you access to all the different services that are currently integrated with Windows Live ID, and will be integrated in the future. It's basically your "master password". Thing I'm trying to stress here: you shouldn't just give this out to anyone who asks. Ok, you get the idea.

    So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rps nv=10&c...." etc. Great, login.live.com, that's what I expect. Cool. Ok, so what's the second thing I should check? Anyone? Come on, it's web password security 101 here people. What do I need to check before I enter a login/password on a web site? That's right.. I need to check I'm on an SSL secured page. The url should start with what? https right? And I should look for the little lock in my browser window.. and if I'm feeling especially paranoid I should check the security certificate to see whether or not it is valid, not expired, and for the site that I am expecting.

    This page has none of those things. Well done Microsoft.

    Oh, but it gets better. There's this link that says "Use enhanced security". I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// page. Of course, the certificate it offers you is not for login.live.com, it's for graphics.hotmail.com. If you accept this certificate then you are basically saying that you're ok with trusting this data that didn't come from graphics.hotmail.com as if it did come from graphics.hotmail.com. Just for the hell of it, let's fire up this "enhanced security" page in IE and see what happens. Oh.. I see. We get no warnings. In fact, if we double click on the padlock we see that the certificate now IS for live.login.com. Hmm, what's going on here. Ahh, I see, half the content on this page didn't come from live.login.com, it came from graphics.hotmail.com.. so this isn't a secure site *at all*, it's a mixed domain site and IE's pitiful support for multiple certificates on a single page is happy to just ignore this (and doesn't even warn you).

    XSS anyone?

    --
    How we know is more important than what we know.
  5. OpenID by jediknil · · Score: 5, Insightful

    I'd prefer to see the rise of OpenID. Now if Microsoft gave you an OpenID authentication point with your LiveID (preferably with something simple, like adding the OpenID <link> tags to login.live.com or even just live.com), that would be a feature worth using and supporting. And wouldn't require changing the sites that already support OpenID, including, AFAIK, the SixApart family of blogs.

    With modern technology, diverse applications are a good thing (healthier market and better apps from consumer selection). Information, however, is more useful the more widely it can be read and used. Unless you are specifically trying to hide something.

    Unfortunately, like Live ID, there seems to be more OpenID providers than servers that use them for authentication.

  6. My old single sign-on method by ls671 · · Score: 5, Interesting

    I use 3 passwords for all sites I access mapping to 3 levels of trust. I try to use the same user id when possible :

    Level 1 : risky

    Level 2 : less risky

    Level 3 : almost trustable

    For sites that I really trust (banking, etc...) I use dedicated passwords. I, also, can forecast problems with a single sign-on scheme that would be more or less like giving away your social security number if hacked.

    I have been working on this problematic before for big organizations and one conclusion we came up with was that we needed to re-use the old assembly language "indirection" principle, called pointers in higher level languages.

    So basically, one has to be able to authenticate with multiples set of usernames/passwords combinations. Once the unique user is authenticated, the central authentication authority limits its role to just that, authenticating the user.

    All authorization is managed by the local system that interacts with the user.

    Do a search for MBUN on Google. In Canada, a user can have multiple MBUNs to deal with the government. This solution was implemented to cope with privacy concerns and still allow the citizen to deal with the government with the same level of privacy that was previously achieved with paper forms. Basically, what has been done is creating a mapping between the MBUN and the real userid and the choice has been given the citizen to have as many MBUN as he wishes to deal with the government.

    Serious concerns should apply to too simplistic solutions ;-) Now for all /. MS bashers to enjoy : Although a qualified partner in the project, none of MS products where used to implement the solution. Given the money and the visibility at stakes, this caused a commotion in Canada with MS canadian VP putting pressure on everybody to reverse the decision.

    Hey Sam, your products are just too simplistic and too proprietary. Phone us next year please ;-) That was really funny, the guy just couldn't understand that Macdonald's like marketing techniques did not work in this case. I mean, they even flew us for a week to Redmond at the campus to try to brainwash us, but still no go for MS.

    -ls

    --
    Everything I write is lies, read between the lines.
  7. Re:ATTN: Top-posting whores by Anonymous Coward · · Score: 5, Funny
    What is top posting?

    Thanks!

    Put your comments below this one.
  8. System Requirements by iovar · · Score: 5, Funny
    From: http://www.microsoft.com/downloads/details.aspx?Fa milyId=8BA187E5-3630-437D-AFDF-59AB699A483D&displa ylang=en

    Supported Operating Systems: Linux; Windows Vista; Windows XP
    How's the wheather in hell these days?
    --
    http://recordmydesktop.iovar.org
  9. Re:How long by baboonlogic · · Score: 5, Insightful

    There is nothing in a single sign on system to force you to use only one id. Using openid and the few sites that actually allow you to use it, I have already brought down my username password combos needed from about 10 to 2. So I can decrease the number of sign ons with systems like openid.

    Secondly, as far as identity theft is concerned, my email accounts are already single points for attack. Once you have the email, the password recovery services will do your bidding. A single-identity-solution allows you to just shift this from email to some server which was created to keep and handle this data. Whats more you could be the one setting up that server... (not in the ms case but in the case of openid).

    So, on the whole, single sign ons can work and openid hopefully will. I dont even want to rtfa. If I cant decide who keeps my username password for my single signon, I am just not interested.

  10. Re:How long by hawkinspeter · · Score: 5, Funny

    Whenever I've gone to a bank, they just wear suits and business clothes. Why is the wardrobe department involved with this? I'm confused.

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe