Microsoft Opens Up Windows Live ID 212
randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."
Re:How long (Score:5, Informative)
Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.
No License? (Score:5, Informative)
Re:Phishing? (Score:2, Informative)
Re:How long (Score:5, Informative)
It doesn't matter so much, it's not like MS WLID, formerly known as MS Passport can ever be made secure. It's fundamentally flawed from the design [avirubin.com].
However, all the bad press was about MS Passport, so a simple name change and, Voila, no bad press about the product. Palladium was sanitize the same way.
just read the ToU (Score:5, Informative)
Uh, what? (Score:3, Informative)
-matthew
Re:How long (Score:2, Informative)
OpenID (Score:5, Informative)
Re:ATTN: Top-posting whores (Score:1, Informative)
Top posting is when people intentially respond to a post that is close to the top in order to achieve higher visibility. As a result, their posts often get modded higher than if they started their own thread in the discussion or responded to something that is on-topic. If you've ever seen someone respond to a post near the top with something that has nothing to do with what they replied to, that is top posting (there's probably other terms as well) and is a sure sign of a scum-sucking karma whore. Unfortunately, the mods fall for it a lot rather than modding the post off-topic as it should be.
Re:How long (Score:3, Informative)
Re:How long (Score:2, Informative)
Re:ATTN: Top-posting whores (Score:2, Informative)
Here, maybe. Go back a few years and you'll find that "top-posting" was (and is) used to describe someone who, in a newsgroup post, puts his or her own answer above the quote it responds to, making the discussion hard to follow by the quotes in one single post.
OpenID got this right. (Score:3, Informative)
Re:How long (Score:3, Informative)
Another way is to use a cryptographic challenge-response authentication, with the relying site's URL hashed into the challenge.
Since the relying site never actually receives the secret key used to create the response, phishing sites gain nothing useful when they prompt the user for authentication. And since the site the user is authenticating to is hashed into the challenge (by an authentication tool on the user's machine, not by the relying site), a response give to a phishing page will not provide access to the legitimate site it's pretending to be.
A more flexible way is the approach taken by OpenID: The relying site redirects you to your real authentication site (the one that provides the OpenID service, which may be a personal site) to enter your authentication credentials. The OpenID auth site then redirects you back to the relying site. Assuming you know enough to check the URL in the location bar, you can be sure that you're not giving your credentials to a phishing site.
Since a real relying site will always contact the OpenID provider directly, and give it the correct URL for the second redirect, a phishing site may initiate the process but will get cut out of the loop when the OpenID site redirects the user to the real site. At present, most OpenID implementations provide fairly weak security, but that's not an inherent weakness of the protocol.
Both of these approaches ultimately rely on the integrity of DNS, unfortunately, so they can be subverted by spoofing DNS. Fortunately, that's a much harder thing to do than to put up a phishing site and send spam to get users to visit it, so either option is a net security gain.
Re:erf revisited (Score:3, Informative)
You should look into OpenID. It's a simple but very powerful concept, and well worth your time.
OpenID is open both with respect to the choice of authentication server (you can pick any one you want, including running your own if you prefer), and with respect to the choice of authentication technology. In a nutshell, the way it works is that if site A wants to authenticate you, you enter your OpenID, which looks like "username.hostname", where hostname is the name of the OpenID provider server. Call that site B. First A contacts B directly and establishes a shared secret. Next, A redirects your browser to B, where you authenticate yourself. The mechanism you use for authentication is between you and B. Generally it's a password, but it could be any authentication mechanism you want, with as many factors as you want. After you've authenticated yourself and indicated that you trust A (the URL is displayed, which is a mild anti-phishing protection), B redirects you back to A, with the user identity and the shared secret embedded in the URL so that A can verify that you were authenticated.
There's quite a bit more to it than that, and it even includes mechanisms for delegating OpenID service, using XRIs to protect against OpenID services whose domain names are taken over, etc., but that's the basic idea.