Microsoft Opens Up Windows Live ID

randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."

ATTN: Top-posting whores

[Anonymous Coward]

Put your comments below this one.
 

Re:ATTN: Top-posting whores

[Anonymous Coward]

What is top posting?

Thanks!

Put your comments below this one.

Re:

[laederkeps]

Top posting is when people intentially respond to a post that is close to the top in order to achieve higher visibility.

Here, maybe. Go back a few years and you'll find that "top-posting" was (and is) used to describe someone who, in a newsgroup post, puts his or her own answer above the quote it responds to, making the discussion hard to follow by the quotes in one single post.

Re:

[cbelle13013]

Why would anyone do that?

Top posting is when people intentially respond to a post that is close to the top in order to achieve higher visibility.

Here, maybe. Go back a few years and you'll find that "top-posting" was (and is) used to describe someone who, in a newsgroup post, puts his or her own answer above the quote it responds to, making the discussion hard to follow by the quotes in one single post.

w00t!

[doxology]

urls gone wlid!

Re:

[StarfishOne]

Intially I read "gurls gone wild" while scrolling down the page.

Then I remembered that I was reading /. with a sleepy head full of wishful thoughts...

How long

[afidel]

Until the first site with a fake passport login form shows up? I mean before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.

Re:How long

[smashin234]

This has been done many times in the past, and I am sure it will continue to happen. Most common were the times that people would set-up false bank of america websites and people would type in their account information....perfect set-up. What was even better was that these sites sometimes were set to bankofamrica.com or some slight variation of the site, so the common user would have no idea they were at the wrong site.

Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.

Re:How long

[jamesh]

Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.

The safeguards only work if the user is paying attention. It only takes a fraction of a percent of people to click a 'log in here with your bank of america credentials to see if you have won a prize' link and the scammers can make a profit, and will keep on scamming.

Still... if you've got a way around this that is truly idiot proof, I'd like to hear it! The best thing I can come up with is that the banks themselves initiate the scam, and then send 'the boys' around to break the thumbs of anyone who falls for it, or otherwise punish the scammee (that's strange... my spell check says scammee isn't a valid word...).

Re:How long

[arivanov]

'log in here with your bank of america credentials to see if you have won a prize'. As a matter of fact this is the latest and probably the most successfull class of phishing sites. The ruse is a "survey" on behalf of "Bank of America" or someone else. It is surprising how many people fall for it. The website has nothing to do with the bank, the addresses are not the bank ones, but none the less the consumer enters their credentials. As a results of many years of brainwashing by direct marketeers they now consider all this to be "business as usual".

Re:

[pe1chl]

But a reasonable bank would use multifactor authentication. Is the bank of america still relying on a simple username/password authentication? Then they deserve to become victim of such attacks.

Re:How long

[hawkinspeter]

Whenever I've gone to a bank, they just wear suits and business clothes. Why is the wardrobe department involved with this? I'm confused.

Re:

[Gazzonyx]

Or if your bank is stupid and has something insecure on it's secure website. Wachovia's Secure Site [wachovia.com] has had a broken SSL login for ages, and I've told them about it. I also told them that the problem was probably just some insecure javascript or something to that effect, and pleaded that they'd forward it to their tech. staff who would immediately know what the problem was and how to fix it. I got a canned response and no action has been taken. Not sure what to do besides check the cert. every time I lo

Re:

[jasen666]

Still... if you've got a way around this that is truly idiot proof, I'd like to hear it!

I've been thinking about it. My idea is that you would install an activeX control or java applet from MS. Websites that want to log you into your Live account would invoke this applet, which does all of the authentication client side, then returns only a token back to the website that called it. That token would contain only whatever information was deemed appropriate for them to have or need.

Of course nothing is foo

Re:

[Propaganda13]

This is a lot different. Before bankofamrica.com had to set up a website then send out email. Halfway smart people wouldn't click on the link because they'd be wondering why their bank is emailing them. Now, I can set up joesfreeporn.com with a fake sign-in. If you're used to going to a lot of sites(bobsfreeporn.com and mikesfreeporn.com), using the sign-in isn't going to throw up a red flag at all.

The signon form should only be on one secured site, not added to any site.

Re:How long

[macbort]

Google and Yahoo have both been offering similar services for awhile now, I believe, and I don't remember hearing either of them having this problem. Not to say it couldn't happen, but I imagine they've thought about this situation and have accounted for it somehow.

Re:

[mgblst]

Oh, ok, I guess everything is alright then. They have probably thought of all the problems, and everything will be fine, thanks macbort. How foolish of us to question something like this! Moron.

Re:How long

[jamesh]

I would love to have a 'single sign-on' and forever forget the hassle of remembering and entering passwords, but the flaw you mention and many others mean I don't think it will ever work. The value of pwning someone's 'single sign-on' code (whether it is Microsoft or some other solution) is just too high.

If a 'single sign-on' became everyone's only method of authenticating to anything, then it would make identity theft just too easy.

You can go to extreme lengths to protect all the sign-on pages in the world, but as long as there are people who will click on a 'your account will be deleted in 2 days unless you go to http://i.am.going.to.steal.your.identity.com/verif y.php [identity.com]' link in an email, none of it matters.

I can't think of any way of preventing that problem without there still being the possibility of a "man in the middle" attack...

Re:

[JonathanR]

Two Factor [wikipedia.org] authentication using a security token (like the RSA SecurID tokens).

Re:

[jamesh]

That prevents the re-use of your credentials, but doesn't stop a phishing site from grabbing them and using them there and then. And, given the idea of 'single sign-on', they could still do a lot of damage with a single authenticated session.

Don't get me wrong, two factor authentication is a good idea, it solves a lot of problems completely (eg if someone is stupid enough to give away their password), and minimizes many others. But man-in-the-middle attacks are not really very well addressed. The _only_ way

Re:

[swillden]

The _only_ way I can think of for the second factor to completely solve all the problems is that if it is a device that you connect to the network, and it establishes a secure session between the end points

Another way is to use a cryptographic challenge-response authentication, with the relying site's URL hashed into the challenge.

Since the relying site never actually receives the secret key used to create the response, phishing sites gain nothing useful when they prompt the user for authentication. And since the site the user is authenticating to is hashed into the challenge (by an authentication tool on the user's machine, not by the relying site), a response give to a phishing page will not provide ac

Re:

[swillden]

Sorry to reply to myself, but I just noticed that I described OpenID inaccurately. The relying site does not give the redirect_to URL to the OpenID site directly, the user's browser does. However, the data block passed back to the relying site by the OpenID site contains the redirect_to URL, signed by that shared secret. So a phishing site can't play man-in-the-middle with your bank and your OpenID provider, because the phishing site can't alter the redirect_to URL without invalidating the signature and

Re:

[jombeewoof]

Software tokens are terrible, they fail much more often than not. SecurID tokens are the best thing to happen to computers since parc. The greatest thing is the simplicity, a random number shot through an algorithm changed every 60 seconds. If the numbers don't match you don't get in. They're simple to resync if the two sides fall out of skew. And reasonably difficult to counterfeit. In a few years(decades) the price will come down and you'll have one of these for just about everything. Your bank, your job

Re:

[Scruffy Dan]

paypal already offers one for only 5 bucks

Re:How long

[LiquidCoooled]

You are right.
Just sign into http://paypalhardware.com/ [paypalhardware.com] with your credentials and they will send one out to you :)

Re:How long

[baboonlogic]

There is nothing in a single sign on system to force you to use only one id. Using openid and the few sites that actually allow you to use it, I have already brought down my username password combos needed from about 10 to 2. So I can decrease the number of sign ons with systems like openid.

Secondly, as far as identity theft is concerned, my email accounts are already single points for attack. Once you have the email, the password recovery services will do your bidding. A single-identity-solution allows you to just shift this from email to some server which was created to keep and handle this data. Whats more you could be the one setting up that server... (not in the ms case but in the case of openid).

So, on the whole, single sign ons can work and openid hopefully will. I dont even want to rtfa. If I cant decide who keeps my username password for my single signon, I am just not interested.

Re:

[swillden]

I haven't looked at openid, but if it allows you to trust someone else with your keys, it's just plain missing on the most important concept.

You should look into OpenID. It's a simple but very powerful concept, and well worth your time.

OpenID is open both with respect to the choice of authentication server (you can pick any one you want, including running your own if you prefer), and with respect to the choice of authentication technology. In a nutshell, the way it works is that if site A wants to authenticate you, you enter your OpenID, which looks like "username.hostname", where hostname is the name of the OpenID provider server. Call t

Re:

[Yvanhoe]

Well, how many people use 10 different passwords anyway ? I think that most people end up using the same password again and again. The man in the middle attack can be prevented using a good crypto and certificates provided by the OS during installation (ie. not downloaded)

Re:

[KiloByte]

Well, how many people use 10 different passwords anyway ?

I use... lemme estimate the count... somewhere around 50 different passwords, with little to remember.

All you need is any mapping you remember anyway. For me, that's ASCII codes, names of Doom2 levels, etc, but for you it could be for example episode names of Star Trek (bleh), or even, horrors, results of 1976 baseball league. Everyone has something of this kind.

Next, pick a scheme of turning account/host names into the domain of your mapping.
Then,

Re:

[PopeRatzo]

All you need is any mapping you remember anyway. For me, that's ASCII codes, names of Doom2 levels, etc, but for you it could be for example episode names of Star Trek (bleh), or even, horrors, results of 1976 baseball league. Everyone has something of this kind.

ahem.

I'm not sure I do have "something of this kind", not being a sufferer of OCD. However, the idea intrigues.

What do you mean when you say "a scheme of turning the account/hostnames into the domain of your mapping". Can you give me an example?

Re:

[KiloByte]

In the lack of such a data set, you can make it up on the spot. Factorizing numbers for one.
In fact, any http://en.wikipedia.org/wiki/Hash_function [slashdot.org] will work. I named ASCII codes and Doom2 levels because they're something I know by heart; I suck at factorizing so it would take me longer. And I don't want to ever spend more than 10 seconds trying to remember a password I didn't use for a while. This is not an issue for ones you type in frequently as they'll be "cached" in your fingers' memory, though.

Pro

Re:

[Catil]

Thanks to the forgot-password-option every site offers, using a single email address to register to everything makes that email account already the weakest link anyway. With the millions of blogs and forums these days, however, that all require people to register and validate via email just to leave a comment, a "single sign-on system" is still a good idea. I guess secure critical sites like Paypal wouldn't cause a problem because they hopefully would never provide to login with such a system in the first p

Re:

[MMC Monster]

Absolutely. I know the MSPassport IDs and passwords for a number of people I used to be close to. One of them is now actively hostile towards me. Should I use their ID/Password to do something illegitimate? Well, only if I'm pushed...

Re:How long

[SgtChaireBourne]

[How long] Until the first site with a fake passport login form shows up? ...

It doesn't matter so much, it's not like MS WLID, formerly known as MS Passport can ever be made secure. It's fundamentally flawed from the design [avirubin.com].

However, all the bad press was about MS Passport, so a simple name change and, Voila, no bad press about the product. Palladium was sanitize the same way.

Re:

[RightSaidFred99]

Nonsense. But way to dig up a 7 year old paper. I'm sure Live is _totally_ the same thing and their complaints are still _totally_ valid.

Re:

[weicco]

We found out something is broken, they fixed it the same day but we still believe it is broken. Wow!

Only thing I found interesting in that article was the 3DES encryption thing. Passport could use per-client key but did TFA say it should be assigned to user's address, IP address? I get dynamic IP address from ISP so if keys would be assigned to my IP address and ISP's DHCP server decides to change my address wouldn't I be force to reauthenticate?

Other attack mechanism aren't solely entangled to Passport.

Re:

[SgtChaireBourne]

Nice strawman. WLID (formerly known as MS Passport) is not just any random piece of shit. It's a piece of shit being marketed as a core security component -- authentication. So, no, in answer to your question. Sure some things were "fixed" but the fundamental design flaws remain.

Furthermore, since M$ still maintains a monopoly on desktop systems and has been found on many occasions to have been illegally leveraging that monopoly to break into a new market, the risk of WLID spreading is actually rath

It's much easier than that

[QuantumG]

Go to Hotmail [hotmail.com]. You will see that Hotmail now requires you to login with Windows Live ID. Now, take a look at this page. It's a login page. They want you to enter your ID and your password. This is what gives you access to all the different services that are currently integrated with Windows Live ID, and will be integrated in the future. It's basically your "master password". Thing I'm trying to stress here: you shouldn't just give this out to anyone who asks. Ok, you get the idea.

So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rps nv=10&c...." etc. Great, login.live.com, that's what I expect. Cool. Ok, so what's the second thing I should check? Anyone? Come on, it's web password security 101 here people. What do I need to check before I enter a login/password on a web site? That's right.. I need to check I'm on an SSL secured page. The url should start with what? https right? And I should look for the little lock in my browser window.. and if I'm feeling especially paranoid I should check the security certificate to see whether or not it is valid, not expired, and for the site that I am expecting.

This page has none of those things. Well done Microsoft.

Oh, but it gets better. There's this link that says "Use enhanced security". I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// [https] page. Of course, the certificate it offers you is not for login.live.com, it's for graphics.hotmail.com. If you accept this certificate then you are basically saying that you're ok with trusting this data that didn't come from graphics.hotmail.com as if it did come from graphics.hotmail.com. Just for the hell of it, let's fire up this "enhanced security" page in IE and see what happens. Oh.. I see. We get no warnings. In fact, if we double click on the padlock we see that the certificate now IS for live.login.com. Hmm, what's going on here. Ahh, I see, half the content on this page didn't come from live.login.com, it came from graphics.hotmail.com.. so this isn't a secure site *at all*, it's a mixed domain site and IE's pitiful support for multiple certificates on a single page is happy to just ignore this (and doesn't even warn you).

XSS anyone?

Re:It's much easier than that

[discHead]

You forgot the part about keeping a sharply-peeled eye and making sure you are being served by live.com and not 1ive.com (with a numeral 1).

OpenID got this right.

[Poromenos1]

At least with OpenID anyone can use their own server, so a phisher wouldn't know what to make the phishing page look like. They could spoof a few known providers, but the one I use (myopenid.com) has an option to not let you log in from a different site. It gives you a page telling you to manually open a new window and log into that and then click the link to continue. That takes care of phishing...

Re:

[Delirium Tremens]

Actually, login.live.com is a very bad name.
It is full of L, I and O letters which can be easily replaced by ones and zeroes to create look-a-like URLs.

Re:It's much easier than that

[shutdown -p now]

You're a moron. How the hell did this idiot get modded up? Seriously?? The page you were served is http. The page you will post to for the login session https.

He's not saying that it doesn't use SSL to log in. He's saying that, as a user, he has no way to find it out until after he clicks "Submit" (and no, checking the HTML source code is not a serious option to consider). The convention for such things is that you use secure connection for the login form as well, so that the browser can indicate that it is secure (padlock icon, green or yellow address bar, etc - depends on the browser, but IE, Firefox and Opera all have such indicators).

Re:

[toetagger1]

Who cares about how it is implemented, if the end user has no way of telling if it is secure or not? You can't require the user to check the source code to verify the implementation of how the information is posted.

Re:

[biocute]

Hasn't MS already got a solution?

All these partner sites must display a "Genuine Live" hologram GIF image.

Beat that!

Got it backwards.

[twitter]

before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.

Hmmm, massive FUD has much inertia. First, intelligent people have known for a long time not to trust M$ with anything. This has harmed the online economy, but that's a different story. If the 25% prevalence of keyloggers is not enough, a rogue site has been able to harvest Passport IDs

Re:

[Blakey Rat]

Screw that.

I don't care if it's Microsoft, Google, Apple, or some nerd's basement server, but please, please SOMEBODY make a single sign-on that sites actually use, so I can use it for casual things. I'm goddamned sick of every goddamned forum on the entire Internet asking me to create an account and sign in before doing crap. You can't even read comments on IMDB now without registering and making some moronic account.

I have thousands of petty little accounts on blogs, on news sites, on wikipedia and IMDB--

Phishing?

[FliesLikeABrick]

What keeps anyone from creating a site (and/or spamming for it), saying it uses Windows Live authentication, then just farming a giant pile of logins they can sell or use for evil things?

Re:

[Anonymous Coward]

Whats to prevent them from doing it right now, without the release of the system by Microsoft? I can already create a fake Google account, Live, or numerous other login systems on any website I own, it is ultimately up to the user to beware.

Re:

[FliesLikeABrick]

Yeah but then you'll only get morons. Now people have a reason to believe that it is real

No License?

[originalhack]

Great... it's copyrighted and provides no license.

Re:No License?

[QuantumG]

Yup, grab the php package, you will see:

Copyright (c) 2007 Microsoft Corporation. All Rights Reserved.

and yeah, no license. So I guess implicitly you're not allowed to redistribute it at all.

just read the ToU

[Karma Sucks]

The ToU is on the downloads page: https://msm.live.com/app/tou.aspx [live.com]

Re:

[QuantumG]

The terms of use don't say anything about the copyright on the sample code. In fact, they don't say anything about the sample code at all.

Re:

[Karma Sucks]

Probably the intent is to be liberal. As long as you are not breaking the law or have malicious intent, you are free to use it as you wish. If you raise the issue perhaps they can make this clearer, there seem to be a lot of venues for feedback including a dedicated forum. *shrugs*

Re:

[QuantumG]

The point (which I think was obvious to everyone) is that Microsoft, a multi-billion dollar corporation, should know what they're doing and not need "feedback" to tell them that they should provide license terms with sample code.

Re:

[Karma Sucks]

That's what happen when you try to do open source... *lol*

Seems like even the lawyers get confused by the whole copyright/license thing when it comes to open source.

Re:

[QuantumG]

Lawyers get confused by copyright. period.

Copyright is intentionally designed that way.

Re:

[killjoe]

Wow MS lawyers don't understand software licensing. How cool is that!

Intentions & assumptions don't count in court.

[cheros]

Given the nature of the Beast it would not extravagant not to make assumptions other than expecting worst case..

Now we can all use Windows security - via the web!

[greenguy]

There's no possible way anything could go wrong with this plan.

Article placement

[Infonaut]

Is it just me, or does placing this article directly above the Diebold rebranding article make you think of a theme common to both? Company loses credibility. Keeps trying to regain it, but still doesn't grok that you can't just make it *look* like you've changed your spots. You actually have to change your behavior, and regaining credibility takes a lot longer than destroying it does.

Re:

[violet16]

you can't just make it *look* like you've changed your spots. You actually have to change your behavior, and regaining credibility takes a lot longer than destroying it does.

Only to people who pay attention.

You noticed this because it's tech. You don't notice most of the thousands of times it happens elsewhere [usatoday.com].

CardSpace?

[ZSO]

Does this mean they've given up on CardSpace [wikipedia.org], which is built into Vista right now? I thought it was a much better solution to the need for single sign-on. Check out thechannel9 video [msdn.com].

Re:

[Shados]

Different purposes. CardSpace, part of .NET 3.0 and up, is made as a way to authenticate and share data on a site by site basis, as opposed to the central system of Live ID. One could say Cardspace is a "mini-LifeID" thing, so to speak. Still quite useful if implemented right.

Re:

[RupW]

Does this mean they've given up on CardSpace [wikipedia.org], which is built into Vista right now? I thought it was a much better solution to the need for single sign-on. Check out thechannel9 video [msdn.com].

If you try the login link in the sample [live.com] - which redirects you back to 'localhost' when you've signed in - it says:

Windows Live is not affiliated with localhost and will share with it only an anonymous ID. Learn more. For additional protection, you may use an Information Card.

(a.k.a. Cardspace)

AFAICT from the docs and the code they've just released, there's no way for a third party to get any information about you from Live (e.g. email, name) even if you want to give it to them to speed up sign-up for examp

Uh, what?

[misleb]

I thought Passport was outted years ago as being fundamentally broken. Why would I want to implement it on my site? Did they fix it? If not, why are they still using it at all?

-matthew

Re:

[QuantumG]

They forced all the hotmail users and all the xbox users and all the other users of Microsoft services to sign up, so they figure they've got a nice big market share now.

I had to get Passport for my job

[MichaelCrawford]

I was working for a Windows shop a while back, and there was a Microsoft road show coming to town showing off Visual Studio 2005 and the new SQL Server. The boss wanted us all to go, but to attend we had to register at some Microsoft web page.

Part of the registration process was that I was required to get a Passport ID. I felt like I'd just sold my soul to The Devil just to get a paycheck.

Re:

[Blakey Rat]

It's simply impossible that Microsoft has recognized and fixed the problems it had years ago, eh?

Of course, since you didn't provide a source, and I have no idea what problem you believe needs fixing, I have no way of checking.

OpenID

[jediknil]

I'd prefer to see the rise of OpenID [openid.net]. Now if Microsoft gave you an OpenID authentication point with your LiveID (preferably with something simple, like adding the OpenID <link> tags to login.live.com or even just live.com), that would be a feature worth using and supporting. And wouldn't require changing the sites that already support OpenID, including, AFAIK, the SixApart family of blogs.

With modern technology, diverse applications are a good thing (healthier market and better apps from consumer selection). Information, however, is more useful the more widely it can be read and used. Unless you are specifically trying to hide something.

Unfortunately, like Live ID, there seems to be more OpenID providers than servers that use them for authentication.

Re:

[SolitaryMan]

It is worth noting, that OpenID is a decentralized system, so you don't have to depend on single ID provider.

Why should anyone give a fsck?

[Ant P.]

Seriously. What reason could anyone possibly want to use WLID for when OpenID already exists?

Re:

[a.d.trick]

Last time I checked, SixApart hadn't quite got the OpenID thing going; however there are many other people involved, some of who are much larger than them. AOL is the classic example (they openid.aol.com/username). There are gads of smaller independent websites and providers.

Oddly enough, Microsoft even promised to support OpenID, we'll see how that one panes out, but don't hold you breath, you might asphyxiate.

Re:

[aichpvee]

Wouldn't it be just as easy to phish if the page could look like anything as if the page always looked the same?

My old single sign-on method

[ls671]

I use 3 passwords for all sites I access mapping to 3 levels of trust. I try to use the same user id when possible :

Level 1 : risky

Level 2 : less risky

Level 3 : almost trustable

For sites that I really trust (banking, etc...) I use dedicated passwords. I, also, can forecast problems with a single sign-on scheme that would be more or less like giving away your social security number if hacked.

I have been working on this problematic before for big organizations and one conclusion we came up with was that we needed to re-use the old assembly language "indirection" principle, called pointers in higher level languages.

So basically, one has to be able to authenticate with multiples set of usernames/passwords combinations. Once the unique user is authenticated, the central authentication authority limits its role to just that, authenticating the user.

All authorization is managed by the local system that interacts with the user.

Do a search for MBUN on Google. In Canada, a user can have multiple MBUNs to deal with the government. This solution was implemented to cope with privacy concerns and still allow the citizen to deal with the government with the same level of privacy that was previously achieved with paper forms. Basically, what has been done is creating a mapping between the MBUN and the real userid and the choice has been given the citizen to have as many MBUN as he wishes to deal with the government.

Serious concerns should apply to too simplistic solutions ;-) Now for all /. MS bashers to enjoy : Although a qualified partner in the project, none of MS products where used to implement the solution. Given the money and the visibility at stakes, this caused a commotion in Canada with MS canadian VP putting pressure on everybody to reverse the decision.

Hey Sam, your products are just too simplistic and too proprietary. Phone us next year please ;-) That was really funny, the guy just couldn't understand that Macdonald's like marketing techniques did not work in this case. I mean, they even flew us for a week to Redmond at the campus to try to brainwash us, but still no go for MS.

-ls

OpenID

[AceJohnny]

and how this compare to OpenID [wikipedia.org] ? (See also OpenID Enabled [openidenabled.com] for those interested in using it)

Re:

[shish]

From a brief look, it seems considerably easier to implement and run; for clients, servers, and end users. I've had OpenID support on my webapp to-do list for months, and I'm considering implementing this in an afternoon. However, the fundemental design is worse :-/

OpenID could really do with a for-dummies API...

Re:

[4thAce]

I hope that it could be one of the supported URL-based identity protocols under Yadis [yadis.org] too.

Rich

Re:

[swillden]

I've had OpenID support on my webapp to-do list for months

Why? The consumer side of OpenID is very simple to implement. Not only that, if your webapp is built in PHP, Perl, C++, Java, Python, Ruby, C# or ColdFusion, there are libraries available that you can just drop in to handle it for you. Also, if you happen to use Plone or Drupal, OpenID support has already been added to your framework.

Re:

[shish]

What's wrong with the design?

It's a centralised system -- if microsoft were ever to stop running the service, or it were to go down, or be hacked, or were to require some form of payment / non-free licencing to use it, we'd all be screwed.

Re:

[Blakey Rat]

People might actually recognize and use this, and nobody uses OpenID?

Just a guess.

System Requirements

[iovar]

From: http://www.microsoft.com/downloads/details.aspx?Fa milyId=8BA187E5-3630-437D-AFDF-59AB699A483D&displa ylang=en [microsoft.com]

Supported Operating Systems: Linux; Windows Vista; Windows XP

How's the wheather in hell these days?

Why am I not convinced?

[mporcheron]

Well, it will inherit Microsoft's stellar security and perfect programming. Besides which, its a closed network unlike OpenID so it will be about as popular as Google's Account Authentication [google.com] which does the same thing but with Google Accounts. Even OpenID isn't that widely used, and it's an open system.

Re:

[RegularFry]

You're forgetting that, unlike OpenID, Passport already has a huge number of users. It stands a good chance of winning by default.

This is bad news

[CopaceticOpus]

The worst possible things that could happen for widespread adoption of a universal login system are:

1. Competition between different standards.
2. Companies with profit motives pushing their own solutions.

It's like the whole HD-DVD vs BluRay issue. End users don't want to deal with choosing one or the other. It would be better for everyone if we could all just come together around one completely open standard.

The standard with the most momentum seems to be OpenID. I hope that a few years from now, I'll be us

Re:

[RupW]

The standard with the most momentum seems to be OpenID. I hope that a few years from now, I'll be using it for most of my web logins.

This is solving a different problem, though - it's a lightweight SSO.

Microsoft are collaborating with OpenID [identityblog.com] on support for Information Cards (a.k.a. Cardspace).

Why?

[PietjeJantje]

Why on earth would I want to, of all things, authenticate using a 3rd party propriety system from a vendor with proven business practices like MS? That seems like the very last thing I want to do. And I haven't even mentioned the outages, so your uptime depends on MS. What are you gonna do when that happens, call them? I have a much better idea, Bill. Why don't you use my unified login system. I've made a version in Visual Basic especially for you.

Terms of Use

[giafly]

Ever intending to compete against a Microsoft product?

you may not: use the service in a way that harms us or our affiliates, resellers, distributors, and/or vendors (collectively, the "Microsoft parties"), or any customer of a Microsoft party ...

Care about money?

We may choose in the future to charge for use of the service. If we choose to establish fees and payment terms for such use, Microsoft will provide at least one (1) month advance notice of such terms as provided in section 18 below, and you may elect to stop using the service rather than incurring fees.

https://msm.live.com/app/tou.aspx [live.com]

The concept never convinced me

[mrjb]

The 'one password for everything' concept is fundamentally broken. It is like having one key for everything you own- your house, your car. During a vacation, I *want* to be able to give the housekeeper access to my house, but I also want to *prevent* her from going for a joyride in my brand new expensive car. The fact that I have neither a housekeeper nor a brand new expensive car is a minor detail.

MS ignores Python style guide

[abecede]

It is just sad to read the Python implementation of this functionality. Almost nothing is written according to the Python Style Guide [python.org]. Weird "__foo"-variables can be found, then it's not Python2.3 compliant because of ONE silly "staticmethod", many "getters" and "setters" which are just useless in this script. If MS wants to show their code to the scripting community, they should at least make it pretty and according to the language's coding standards. But maybe that is their understanding of "pretty". Who knows.

Bring it on! Not!

[crivens]

Oh yeah I'd love to use an authentication system on multiple sites that forces me to re-enter my password in Firefox every time I visit hotmail.com!

Tears to my eye.

[Espectr0]

From the download page:

System Requirements

• 
     
• Supported Operating Systems: Linux;[...]

How far have we come?

MS adapts to market

[athloi]

New market: either proprietary web-based services (quasi-thin client) or a standards-based, PC-based market. Microsoft wants the latter, Google wants the former. Consequently, Microsoft is opening up to open source, as it will help it gain its goals.

The important thing to remember about corporations is that they're not evil. They're realpolitik. Their only goal is to make their stock price rise, so their stockholders go home happy. Stockholders are people like you and me who've bought Microsoft stock and wa

Uh... OpenID?

[Schraegstrichpunkt]

How is this different from OpenID [openid.net], other than that MS displays a massive not-invented-here syndrome?

Re:So what?

[pembo13]

They changed the name

Re:So what?

[kimvette]

Like the diebold voting booths? ;)

Re:

[Karma Sucks]

What's with the nitpicking, that Ruby is sweet!

Re:

[Vegeta99]

You made uh funni!!

Re:

[RupW]

This is not really news, passport used to be open a couple of years ago when the bubble burst. No one really used it much so they closed it again.

Yes and no - the API was open, yes, but the problem with casual adoption of passport was that there was a large fee to get it into production ($10,000 I think, might even have been $10,000/year).

This is essentially no-cost but (as I've posted above) it doesn't look very professional to me - I think it's more suited to blogs login than corporate app login.

Re:

[a.d.trick]

Actually, single sign-on can be pretty cool. This is more a bad case of NIH than a solution for a non-problem. OpenID is already out there, it's supported by many sites/software, it works, and it as a second killer feature: it's decentralized. Forcing lame copies of existing standards is pretty typical MS too (see OpenDocument vs OOXML).