Microsoft Opens Up Windows Live ID

randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."

Re:How long

[smashin234]

This has been done many times in the past, and I am sure it will continue to happen. Most common were the times that people would set-up false bank of america websites and people would type in their account information....perfect set-up. What was even better was that these sites sometimes were set to bankofamrica.com or some slight variation of the site, so the common user would have no idea they were at the wrong site.

Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.

No License?

[originalhack]

Great... it's copyrighted and provides no license.

Re:Phishing?

[Anonymous Coward]

Whats to prevent them from doing it right now, without the release of the system by Microsoft? I can already create a fake Google account, Live, or numerous other login systems on any website I own, it is ultimately up to the user to beware.

Re:How long

[SgtChaireBourne]

[How long] Until the first site with a fake passport login form shows up? ...

It doesn't matter so much, it's not like MS WLID, formerly known as MS Passport can ever be made secure. It's fundamentally flawed from the design [avirubin.com].

However, all the bad press was about MS Passport, so a simple name change and, Voila, no bad press about the product. Palladium was sanitize the same way.

just read the ToU

[Karma Sucks]

The ToU is on the downloads page: https://msm.live.com/app/tou.aspx [live.com]

Uh, what?

[misleb]

I thought Passport was outted years ago as being fundamentally broken. Why would I want to implement it on my site? Did they fix it? If not, why are they still using it at all?

-matthew

Re:How long

[JonathanR]

Two Factor [wikipedia.org] authentication using a security token (like the RSA SecurID tokens).

OpenID

[AceJohnny]

and how this compare to OpenID [wikipedia.org] ? (See also OpenID Enabled [openidenabled.com] for those interested in using it)

Re:ATTN: Top-posting whores

[Anonymous Coward]

Top posting is when people intentially respond to a post that is close to the top in order to achieve higher visibility. As a result, their posts often get modded higher than if they started their own thread in the discussion or responded to something that is on-topic. If you've ever seen someone respond to a post near the top with something that has nothing to do with what they replied to, that is top posting (there's probably other terms as well) and is a sure sign of a scum-sucking karma whore. Unfortunately, the mods fall for it a lot rather than modding the post off-topic as it should be.
 

Re:How long

[jombeewoof]

Software tokens are terrible, they fail much more often than not. SecurID tokens are the best thing to happen to computers since parc. The greatest thing is the simplicity, a random number shot through an algorithm changed every 60 seconds. If the numbers don't match you don't get in. They're simple to resync if the two sides fall out of skew. And reasonably difficult to counterfeit. In a few years(decades) the price will come down and you'll have one of these for just about everything. Your bank, your job, even some fancy car keys have similar technology in them. While they're not without their flaws, the securid's and similar 2 factor id have a lot of potential to cut down on identity theft.

Re:How long

[Scruffy Dan]

paypal already offers one for only 5 bucks

Re:ATTN: Top-posting whores

[laederkeps]

Top posting is when people intentially respond to a post that is close to the top in order to achieve higher visibility.

Here, maybe. Go back a few years and you'll find that "top-posting" was (and is) used to describe someone who, in a newsgroup post, puts his or her own answer above the quote it responds to, making the discussion hard to follow by the quotes in one single post.

OpenID got this right.

[Poromenos1]

At least with OpenID anyone can use their own server, so a phisher wouldn't know what to make the phishing page look like. They could spoof a few known providers, but the one I use (myopenid.com) has an option to not let you log in from a different site. It gives you a page telling you to manually open a new window and log into that and then click the link to continue. That takes care of phishing...

Re:How long

[swillden]

The _only_ way I can think of for the second factor to completely solve all the problems is that if it is a device that you connect to the network, and it establishes a secure session between the end points

Another way is to use a cryptographic challenge-response authentication, with the relying site's URL hashed into the challenge.

Since the relying site never actually receives the secret key used to create the response, phishing sites gain nothing useful when they prompt the user for authentication. And since the site the user is authenticating to is hashed into the challenge (by an authentication tool on the user's machine, not by the relying site), a response give to a phishing page will not provide access to the legitimate site it's pretending to be.

A more flexible way is the approach taken by OpenID: The relying site redirects you to your real authentication site (the one that provides the OpenID service, which may be a personal site) to enter your authentication credentials. The OpenID auth site then redirects you back to the relying site. Assuming you know enough to check the URL in the location bar, you can be sure that you're not giving your credentials to a phishing site.

Since a real relying site will always contact the OpenID provider directly, and give it the correct URL for the second redirect, a phishing site may initiate the process but will get cut out of the loop when the OpenID site redirects the user to the real site. At present, most OpenID implementations provide fairly weak security, but that's not an inherent weakness of the protocol.

Both of these approaches ultimately rely on the integrity of DNS, unfortunately, so they can be subverted by spoofing DNS. Fortunately, that's a much harder thing to do than to put up a phishing site and send spam to get users to visit it, so either option is a net security gain.

Re:erf revisited

[swillden]

I haven't looked at openid, but if it allows you to trust someone else with your keys, it's just plain missing on the most important concept.

You should look into OpenID. It's a simple but very powerful concept, and well worth your time.

OpenID is open both with respect to the choice of authentication server (you can pick any one you want, including running your own if you prefer), and with respect to the choice of authentication technology. In a nutshell, the way it works is that if site A wants to authenticate you, you enter your OpenID, which looks like "username.hostname", where hostname is the name of the OpenID provider server. Call that site B. First A contacts B directly and establishes a shared secret. Next, A redirects your browser to B, where you authenticate yourself. The mechanism you use for authentication is between you and B. Generally it's a password, but it could be any authentication mechanism you want, with as many factors as you want. After you've authenticated yourself and indicated that you trust A (the URL is displayed, which is a mild anti-phishing protection), B redirects you back to A, with the user identity and the shared secret embedded in the URL so that A can verify that you were authenticated.

There's quite a bit more to it than that, and it even includes mechanisms for delegating OpenID service, using XRIs to protect against OpenID services whose domain names are taken over, etc., but that's the basic idea.