Microsoft Opens Up Windows Live ID 212
randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."
ATTN: Top-posting whores (Score:3, Funny)
Re:ATTN: Top-posting whores (Score:5, Funny)
Thanks!
Re:ATTN: Top-posting whores (Score:2, Informative)
Here, maybe. Go back a few years and you'll find that "top-posting" was (and is) used to describe someone who, in a newsgroup post, puts his or her own answer above the quote it responds to, making the discussion hard to follow by the quotes in one single post.
Re:ATTN: Top-posting whores (Score:2, Funny)
w00t! (Score:4, Funny)
Re:w00t! (Score:2)
Then I remembered that I was reading
How long (Score:5, Insightful)
Re:How long (Score:5, Informative)
Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.
Re:How long (Score:4, Insightful)
The safeguards only work if the user is paying attention. It only takes a fraction of a percent of people to click a 'log in here with your bank of america credentials to see if you have won a prize' link and the scammers can make a profit, and will keep on scamming.
Still... if you've got a way around this that is truly idiot proof, I'd like to hear it! The best thing I can come up with is that the banks themselves initiate the scam, and then send 'the boys' around to break the thumbs of anyone who falls for it, or otherwise punish the scammee (that's strange... my spell check says scammee isn't a valid word...).
Re:How long (Score:4, Insightful)
Re:How long (Score:2)
Re:How long (Score:5, Funny)
Re:How long (Score:2)
Re:How long (Score:2)
I've been thinking about it. My idea is that you would install an activeX control or java applet from MS. Websites that want to log you into your Live account would invoke this applet, which does all of the authentication client side, then returns only a token back to the website that called it. That token would contain only whatever information was deemed appropriate for them to have or need.
Of course nothing is fool proof. I'm sure the attack vector they'd use to try and break this scheme is to try to distribute fake applets, that don't really authenticate you, just report back your login info.
Re:How long (Score:2)
The signon form should only be on one secured site, not added to any site.
Re:How long (Score:4, Interesting)
Re:How long (Score:3, Funny)
Re:How long (Score:5, Insightful)
If a 'single sign-on' became everyone's only method of authenticating to anything, then it would make identity theft just too easy.
You can go to extreme lengths to protect all the sign-on pages in the world, but as long as there are people who will click on a 'your account will be deleted in 2 days unless you go to http://i.am.going.to.steal.your.identity.com/veri
I can't think of any way of preventing that problem without there still being the possibility of a "man in the middle" attack...
Re:How long (Score:2, Informative)
Re:How long (Score:2)
Don't get me wrong, two factor authentication is a good idea, it solves a lot of problems completely (eg if someone is stupid enough to give away their password), and minimizes many others. But man-in-the-middle attacks are not really very well addressed. The _only_ way I can think of for the second factor to completely solve all the problems is that if it is a device that you connect to the network, and it establishes a secure session between the end points, and that you enter your password into it. And i wouldn't be surprised if someone found a hole in that!
Re:How long (Score:3, Informative)
Another way is to use a cryptographic challenge-response authentication, with the relying site's URL hashed into the challenge.
Since the relying site never actually receives the secret key used to create the response, phishing sites gain nothing useful when they prompt the user for authentication. And since the site the user is authenticating to is hashed into the challenge (by an authentication tool on the user's machine, not by the relying site), a response give to a phishing page will not provide access to the legitimate site it's pretending to be.
A more flexible way is the approach taken by OpenID: The relying site redirects you to your real authentication site (the one that provides the OpenID service, which may be a personal site) to enter your authentication credentials. The OpenID auth site then redirects you back to the relying site. Assuming you know enough to check the URL in the location bar, you can be sure that you're not giving your credentials to a phishing site.
Since a real relying site will always contact the OpenID provider directly, and give it the correct URL for the second redirect, a phishing site may initiate the process but will get cut out of the loop when the OpenID site redirects the user to the real site. At present, most OpenID implementations provide fairly weak security, but that's not an inherent weakness of the protocol.
Both of these approaches ultimately rely on the integrity of DNS, unfortunately, so they can be subverted by spoofing DNS. Fortunately, that's a much harder thing to do than to put up a phishing site and send spam to get users to visit it, so either option is a net security gain.
Re:How long (Score:2)
Re:How long (Score:3, Informative)
Re:How long (Score:2, Informative)
Re:How long (Score:4, Funny)
Just sign into http://paypalhardware.com/ [paypalhardware.com] with your credentials and they will send one out to you
Re:How long (Score:5, Insightful)
Secondly, as far as identity theft is concerned, my email accounts are already single points for attack. Once you have the email, the password recovery services will do your bidding. A single-identity-solution allows you to just shift this from email to some server which was created to keep and handle this data. Whats more you could be the one setting up that server... (not in the ms case but in the case of openid).
So, on the whole, single sign ons can work and openid hopefully will. I dont even want to rtfa. If I cant decide who keeps my username password for my single signon, I am just not interested.
Re:erf revisited (Score:3, Informative)
You should look into OpenID. It's a simple but very powerful concept, and well worth your time.
OpenID is open both with respect to the choice of authentication server (you can pick any one you want, including running your own if you prefer), and with respect to the choice of authentication technology. In a nutshell, the way it works is that if site A wants to authenticate you, you enter your OpenID, which looks like "username.hostname", where hostname is the name of the OpenID provider server. Call that site B. First A contacts B directly and establishes a shared secret. Next, A redirects your browser to B, where you authenticate yourself. The mechanism you use for authentication is between you and B. Generally it's a password, but it could be any authentication mechanism you want, with as many factors as you want. After you've authenticated yourself and indicated that you trust A (the URL is displayed, which is a mild anti-phishing protection), B redirects you back to A, with the user identity and the shared secret embedded in the URL so that A can verify that you were authenticated.
There's quite a bit more to it than that, and it even includes mechanisms for delegating OpenID service, using XRIs to protect against OpenID services whose domain names are taken over, etc., but that's the basic idea.
Re:How long (Score:2)
Re:How long (Score:2)
I use... lemme estimate the count... somewhere around 50 different passwords, with little to remember.
All you need is any mapping you remember anyway. For me, that's ASCII codes, names of Doom2 levels, etc, but for you it could be for example episode names of Star Trek (bleh), or even, horrors, results of 1976 baseball league. Everyone has something of this kind.
Next, pick a scheme of turning account/host names into the domain of your mapping.
Then, do the same for turning the mapping's codomain into short strings.
This does have a potential vulnerability of letting an attacker guess the scheme if he intercepts several of your passwords and the scheme itself is very obvious, but hey, that's a whole world harder than learning a single password and using it to get a good part of your accounts. And I don't use the main scheme for accounts I don't give a damn about.
Re:How long (Score:2)
I'm not sure I do have "something of this kind", not being a sufferer of OCD. However, the idea intrigues.
What do you mean when you say "a scheme of turning the account/hostnames into the domain of your mapping". Can you give me an example? I'd like to try this.
Re:How long (Score:2)
In fact, any http://en.wikipedia.org/wiki/Hash_function [slashdot.org] will work. I named ASCII codes and Doom2 levels because they're something I know by heart; I suck at factorizing so it would take me longer. And I don't want to ever spend more than 10 seconds trying to remember a password I didn't use for a while. This is not an issue for ones you type in frequently as they'll be "cached" in your fingers' memory, though.
Producing the input for your hash function can be trickier, though. In some cases like ASCII codes it's trivial -- take 3rd and 5th letter of the hostname, turn them to their ASCII codes, mangle the numbers somewhat and you're done -- like: hostname="flame" => 97, 101 => "!97a101a". The final rule was: prepend with '!'s to get three digits, add "a" for odd codes, "b" for even ones.
This particular scheme isn't too secure; it resembles one of my early ones. The weakness here is that someone who intercepts one or two of these can guess what to brute force, needing only 16-18 bits of work; it's obvious how to close this hole.
Now, while my passwords are not the ones you get from "pwgen -s", at least I can actually "remember" all of them without being superhuman.
Re:How long (Score:2, Insightful)
It's a pity that OpenID somehow doesn't take off as many expected and I don't think a Microsoft solution will either. Google comes to mind as one company that could probably do it successfully.
Re:How long (Score:2)
Re:How long (Score:5, Informative)
It doesn't matter so much, it's not like MS WLID, formerly known as MS Passport can ever be made secure. It's fundamentally flawed from the design [avirubin.com].
However, all the bad press was about MS Passport, so a simple name change and, Voila, no bad press about the product. Palladium was sanitize the same way.
Re:How long (Score:2)
Re:How long (Score:2)
We found out something is broken, they fixed it the same day but we still believe it is broken. Wow!
Only thing I found interesting in that article was the 3DES encryption thing. Passport could use per-client key but did TFA say it should be assigned to user's address, IP address? I get dynamic IP address from ISP so if keys would be assigned to my IP address and ISP's DHCP server decides to change my address wouldn't I be force to reauthenticate?
Other attack mechanism aren't solely entangled to Passport. If attacker gets his computer to act as man-in-the-middle or is able to attack name server(s) you are basically screwed anyway. Same goes if attacker is able to attack the actual server (Passport or business server).
But there's easier way to get user's information, I think. Just release email-worm which says "cool emoticons for you Messenger/Skype/whatever" and you have 1000000 teenagers downloading your trojan EXE the next day :) I've cleaned up couple of computers infected this way. It is pretty efficient attack and enables attacker to do lot's of kind nasty things at least on Windows 98/ME/2K/XP.
But should we start crusade against every goddamn software which is subject of somekind of security hole, not matter how abstract or theoritical? Don't get me wrong, security holes are bad but if we decide that attacking DNS server is compromising Passport, then we could ban all the web browsers also.
Re:How long (Score:2)
Nice strawman. WLID (formerly known as MS Passport) is not just any random piece of shit. It's a piece of shit being marketed as a core security component -- authentication. So, no, in answer to your question. Sure some things were "fixed" but the fundamental design flaws remain.
Furthermore, since M$ still maintains a monopoly on desktop systems and has been found on many occasions to have been illegally leveraging that monopoly to break into a new market, the risk of WLID spreading is actually rather high. If the stats at NetCraft are anything close to reliable, then M$ would be able to leverage the IIS install base.
It's much easier than that (Score:5, Insightful)
So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rp
This page has none of those things. Well done Microsoft.
Oh, but it gets better. There's this link that says "Use enhanced security". I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// [https] page. Of course, the certificate it offers you is not for login.live.com, it's for graphics.hotmail.com. If you accept this certificate then you are basically saying that you're ok with trusting this data that didn't come from graphics.hotmail.com as if it did come from graphics.hotmail.com. Just for the hell of it, let's fire up this "enhanced security" page in IE and see what happens. Oh.. I see. We get no warnings. In fact, if we double click on the padlock we see that the certificate now IS for live.login.com. Hmm, what's going on here. Ahh, I see, half the content on this page didn't come from live.login.com, it came from graphics.hotmail.com.. so this isn't a secure site *at all*, it's a mixed domain site and IE's pitiful support for multiple certificates on a single page is happy to just ignore this (and doesn't even warn you).
XSS anyone?
Re:It's much easier than that (Score:4, Interesting)
OpenID got this right. (Score:3, Informative)
Re:It's much easier than that (Score:2)
It is full of L, I and O letters which can be easily replaced by ones and zeroes to create look-a-like URLs.
Re:It's much easier than that (Score:4, Insightful)
Re:It's much easier than that (Score:2)
Re:How long (Score:2)
All these partner sites must display a "Genuine Live" hologram GIF image.
Beat that!
Got it backwards. (Score:2, Interesting)
before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.
Hmmm, massive FUD has much inertia. First, intelligent people have known for a long time not to trust M$ with anything. This has harmed the online economy, but that's a different story. If the 25% prevalence of keyloggers is not enough, a rogue site has been able to harvest Passport IDs forever, because IE can be resized, reshaped and made to look like whatever the rogue site wants it to. Firefox puts a stop to menu hiding and resizes, but Mozilla.org can't save you from a key logger.
Re:How long (Score:2)
I don't care if it's Microsoft, Google, Apple, or some nerd's basement server, but please, please SOMEBODY make a single sign-on that sites actually use, so I can use it for casual things. I'm goddamned sick of every goddamned forum on the entire Internet asking me to create an account and sign in before doing crap. You can't even read comments on IMDB now without registering and making some moronic account.
I have thousands of petty little accounts on blogs, on news sites, on wikipedia and IMDB-- all with the same username/password combination. Single sign-on, PLEASE!
Phishing? (Score:2, Redundant)
Re:Phishing? (Score:2, Informative)
Re:Phishing? (Score:2)
No License? (Score:5, Informative)
Re:No License? (Score:5, Insightful)
Copyright (c) 2007 Microsoft Corporation. All Rights Reserved.
and yeah, no license. So I guess implicitly you're not allowed to redistribute it at all.
just read the ToU (Score:5, Informative)
Re:just read the ToU (Score:2)
Re:just read the ToU (Score:2)
Re:just read the ToU (Score:2)
Re:just read the ToU (Score:2)
Seems like even the lawyers get confused by the whole copyright/license thing when it comes to open source.
Re:just read the ToU (Score:2)
Copyright is intentionally designed that way.
Re:just read the ToU (Score:2)
Intentions & assumptions don't count in court. (Score:2)
Now we can all use Windows security - via the web! (Score:5, Funny)
Article placement (Score:5, Interesting)
Is it just me, or does placing this article directly above the Diebold rebranding article make you think of a theme common to both? Company loses credibility. Keeps trying to regain it, but still doesn't grok that you can't just make it *look* like you've changed your spots. You actually have to change your behavior, and regaining credibility takes a lot longer than destroying it does.
Re:Article placement (Score:2)
Only to people who pay attention.
You noticed this because it's tech. You don't notice most of the thousands of times it happens elsewhere [usatoday.com].
CardSpace? (Score:2, Interesting)
Re:CardSpace? (Score:3, Insightful)
Re:CardSpace? (Score:2)
AFAICT from the docs and the code they've just released, there's no way for a third party to get any information about you from Live (e.g. email, name) even if you want to give it to them to speed up sign-up for example. Cardspace does allow that, configurable by the user, and so is the better solution for both you and the third party sites anyway. In fact the login page doesn't look very professional to me - the sort of thing you'd use on your blog maybe but not on your ecommerce site.
Uh, what? (Score:3, Informative)
-matthew
Re:Uh, what? (Score:2)
I had to get Passport for my job (Score:2, Troll)
Part of the registration process was that I was required to get a Passport ID. I felt like I'd just sold my soul to The Devil just to get a paycheck.
Re:Uh, what? (Score:2)
Of course, since you didn't provide a source, and I have no idea what problem you believe needs fixing, I have no way of checking.
OpenID (Score:5, Insightful)
I'd prefer to see the rise of OpenID [openid.net]. Now if Microsoft gave you an OpenID authentication point with your LiveID (preferably with something simple, like adding the OpenID <link> tags to login.live.com or even just live.com), that would be a feature worth using and supporting. And wouldn't require changing the sites that already support OpenID, including, AFAIK, the SixApart family of blogs.
With modern technology, diverse applications are a good thing (healthier market and better apps from consumer selection). Information, however, is more useful the more widely it can be read and used. Unless you are specifically trying to hide something.
Unfortunately, like Live ID, there seems to be more OpenID providers than servers that use them for authentication.
Re:OpenID (Score:3, Insightful)
It is worth noting, that OpenID is a decentralized system, so you don't have to depend on single ID provider.
Why should anyone give a fsck? (Score:2)
Re:OpenID (Score:2)
Last time I checked, SixApart hadn't quite got the OpenID thing going; however there are many other people involved, some of who are much larger than them. AOL is the classic example (they openid.aol.com/username). There are gads of smaller independent websites and providers.
Oddly enough, Microsoft even promised to support OpenID, we'll see how that one panes out, but don't hold you breath, you might asphyxiate.
Re:OpenID (Score:2, Insightful)
My old single sign-on method (Score:5, Interesting)
I use 3 passwords for all sites I access mapping to 3 levels of trust. I try to use the same user id when possible :
Level 1 : risky
Level 2 : less risky
Level 3 : almost trustable
For sites that I really trust (banking, etc...) I use dedicated passwords. I, also, can forecast problems with a single sign-on scheme that would be more or less like giving away your social security number if hacked.
I have been working on this problematic before for big organizations and one conclusion we came up with was that we needed to re-use the old assembly language "indirection" principle, called pointers in higher level languages.
So basically, one has to be able to authenticate with multiples set of usernames/passwords combinations. Once the unique user is authenticated, the central authentication authority limits its role to just that, authenticating the user.
All authorization is managed by the local system that interacts with the user.
Do a search for MBUN on Google. In Canada, a user can have multiple MBUNs to deal with the government. This solution was implemented to cope with privacy concerns and still allow the citizen to deal with the government with the same level of privacy that was previously achieved with paper forms. Basically, what has been done is creating a mapping between the MBUN and the real userid and the choice has been given the citizen to have as many MBUN as he wishes to deal with the government.
Serious concerns should apply to too simplistic solutions ;-)
Now for all /. MS bashers to enjoy : Although a qualified partner in the project, none of MS products where used to implement the solution. Given the money and the visibility at stakes, this caused a commotion in Canada with MS canadian VP putting pressure on everybody to reverse the decision.
Hey Sam, your products are just too simplistic and too proprietary. Phone us next year please ;-) That was really funny, the guy just couldn't understand that Macdonald's like marketing techniques did not work in this case. I mean, they even flew us for a week to Redmond at the campus to try to brainwash us, but still no go for MS.
-ls
OpenID (Score:5, Informative)
Re:OpenID (Score:3, Interesting)
From a brief look, it seems considerably easier to implement and run; for clients, servers, and end users. I've had OpenID support on my webapp to-do list for months, and I'm considering implementing this in an afternoon. However, the fundemental design is worse :-/
OpenID could really do with a for-dummies API...
Re:OpenID (Score:3, Interesting)
Rich
Re:OpenID (Score:2)
Why? The consumer side of OpenID is very simple to implement. Not only that, if your webapp is built in PHP, Perl, C++, Java, Python, Ruby, C# or ColdFusion, there are libraries available that you can just drop in to handle it for you. Also, if you happen to use Plone or Drupal, OpenID support has already been added to your framework.
Re:OpenID (Score:2)
Re:OpenID (Score:2)
Just a guess.
System Requirements (Score:5, Funny)
How's the wheather in hell these days?
Why am I not convinced? (Score:2, Insightful)
Re:Why am I not convinced? (Score:2)
This is bad news (Score:2)
1. Competition between different standards.
2. Companies with profit motives pushing their own solutions.
It's like the whole HD-DVD vs BluRay issue. End users don't want to deal with choosing one or the other. It would be better for everyone if we could all just come together around one completely open standard.
The standard with the most momentum seems to be OpenID. I hope that a few years from now, I'll be using it for most of my web logins.
Re:This is bad news (Score:2)
Microsoft are collaborating with OpenID [identityblog.com] on support for Information Cards (a.k.a. Cardspace).
Why? (Score:3, Insightful)
Terms of Use (Score:3, Insightful)
The concept never convinced me (Score:3, Interesting)
MS ignores Python style guide (Score:3, Interesting)
Bring it on! Not! (Score:2)
Tears to my eye. (Score:2)
System Requirements
How far have we come?
MS adapts to market (Score:2)
The important thing to remember about corporations is that they're not evil. They're realpolitik. Their only goal is to make their stock price rise, so their stockholders go home happy. Stockholders are people like you and me who've bought Microsoft stock and want to make money off of it.
F/OSS is people power, which should come out and admit that it is opposed to this system. It's not anti-capitalism, but it is anti-capitalism, in its own way. I don't think it means bad by this. I compare it more to the volunteers who spend more time than most people do at day jobs to help their communities. But even that is insane from a capitalist perspective, since they could be getting $$$ for that time.
Uh... OpenID? (Score:2)
Re:So what? (Score:5, Insightful)
Re:So what? (Score:5, Insightful)
Re:Love that Ruby. (Score:2)
Re:I think... (Score:2)
Re:Passport used to be open (Score:2)
This is essentially no-cost but (as I've posted above) it doesn't look very professional to me - I think it's more suited to blogs login than corporate app login.
Re:Typical MS! (Score:2)