Microsoft Opens Up Windows Live ID

randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."

How long

[afidel]

Until the first site with a fake passport login form shows up? I mean before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.

Re:So what?

[pembo13]

They changed the name

Re:No License?

[QuantumG]

Yup, grab the php package, you will see:

Copyright (c) 2007 Microsoft Corporation. All Rights Reserved.

and yeah, no license. So I guess implicitly you're not allowed to redistribute it at all.

Typical MS!

[rts008]

Solution looking for a problem.

With so many security and authentication issues inherent to MS products, this seems another case of marketing pushing faster/harder than the development teams can keep up with.

If it backfires for them, look for flying chairs...*ducks*.

Re:How long

[jamesh]

I would love to have a 'single sign-on' and forever forget the hassle of remembering and entering passwords, but the flaw you mention and many others mean I don't think it will ever work. The value of pwning someone's 'single sign-on' code (whether it is Microsoft or some other solution) is just too high.

If a 'single sign-on' became everyone's only method of authenticating to anything, then it would make identity theft just too easy.

You can go to extreme lengths to protect all the sign-on pages in the world, but as long as there are people who will click on a 'your account will be deleted in 2 days unless you go to http://i.am.going.to.steal.your.identity.com/verif y.php [identity.com]' link in an email, none of it matters.

I can't think of any way of preventing that problem without there still being the possibility of a "man in the middle" attack...

Re:How long

[jamesh]

Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.

The safeguards only work if the user is paying attention. It only takes a fraction of a percent of people to click a 'log in here with your bank of america credentials to see if you have won a prize' link and the scammers can make a profit, and will keep on scamming.

Still... if you've got a way around this that is truly idiot proof, I'd like to hear it! The best thing I can come up with is that the banks themselves initiate the scam, and then send 'the boys' around to break the thumbs of anyone who falls for it, or otherwise punish the scammee (that's strange... my spell check says scammee isn't a valid word...).

Re:So what?

[kimvette]

Like the diebold voting booths? ;)

It's much easier than that

[QuantumG]

Go to Hotmail [hotmail.com]. You will see that Hotmail now requires you to login with Windows Live ID. Now, take a look at this page. It's a login page. They want you to enter your ID and your password. This is what gives you access to all the different services that are currently integrated with Windows Live ID, and will be integrated in the future. It's basically your "master password". Thing I'm trying to stress here: you shouldn't just give this out to anyone who asks. Ok, you get the idea.

So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rps nv=10&c...." etc. Great, login.live.com, that's what I expect. Cool. Ok, so what's the second thing I should check? Anyone? Come on, it's web password security 101 here people. What do I need to check before I enter a login/password on a web site? That's right.. I need to check I'm on an SSL secured page. The url should start with what? https right? And I should look for the little lock in my browser window.. and if I'm feeling especially paranoid I should check the security certificate to see whether or not it is valid, not expired, and for the site that I am expecting.

This page has none of those things. Well done Microsoft.

Oh, but it gets better. There's this link that says "Use enhanced security". I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// [https] page. Of course, the certificate it offers you is not for login.live.com, it's for graphics.hotmail.com. If you accept this certificate then you are basically saying that you're ok with trusting this data that didn't come from graphics.hotmail.com as if it did come from graphics.hotmail.com. Just for the hell of it, let's fire up this "enhanced security" page in IE and see what happens. Oh.. I see. We get no warnings. In fact, if we double click on the padlock we see that the certificate now IS for live.login.com. Hmm, what's going on here. Ahh, I see, half the content on this page didn't come from live.login.com, it came from graphics.hotmail.com.. so this isn't a secure site *at all*, it's a mixed domain site and IE's pitiful support for multiple certificates on a single page is happy to just ignore this (and doesn't even warn you).

XSS anyone?

OpenID

[jediknil]

I'd prefer to see the rise of OpenID [openid.net]. Now if Microsoft gave you an OpenID authentication point with your LiveID (preferably with something simple, like adding the OpenID <link> tags to login.live.com or even just live.com), that would be a feature worth using and supporting. And wouldn't require changing the sites that already support OpenID, including, AFAIK, the SixApart family of blogs.

With modern technology, diverse applications are a good thing (healthier market and better apps from consumer selection). Information, however, is more useful the more widely it can be read and used. Unless you are specifically trying to hide something.

Unfortunately, like Live ID, there seems to be more OpenID providers than servers that use them for authentication.

Re:CardSpace?

[Shados]

Different purposes. CardSpace, part of .NET 3.0 and up, is made as a way to authenticate and share data on a site by site basis, as opposed to the central system of Live ID. One could say Cardspace is a "mini-LifeID" thing, so to speak. Still quite useful if implemented right.

Re:How long

[arivanov]

'log in here with your bank of america credentials to see if you have won a prize'. As a matter of fact this is the latest and probably the most successfull class of phishing sites. The ruse is a "survey" on behalf of "Bank of America" or someone else. It is surprising how many people fall for it. The website has nothing to do with the bank, the addresses are not the bank ones, but none the less the consumer enters their credentials. As a results of many years of brainwashing by direct marketeers they now consider all this to be "business as usual".

Re:OpenID

[SolitaryMan]

It is worth noting, that OpenID is a decentralized system, so you don't have to depend on single ID provider.

Re:OpenID

[aichpvee]

Wouldn't it be just as easy to phish if the page could look like anything as if the page always looked the same?

Why am I not convinced?

[mporcheron]

Well, it will inherit Microsoft's stellar security and perfect programming. Besides which, its a closed network unlike OpenID so it will be about as popular as Google's Account Authentication [google.com] which does the same thing but with Google Accounts. Even OpenID isn't that widely used, and it's an open system.

Re:How long

[baboonlogic]

There is nothing in a single sign on system to force you to use only one id. Using openid and the few sites that actually allow you to use it, I have already brought down my username password combos needed from about 10 to 2. So I can decrease the number of sign ons with systems like openid.

Secondly, as far as identity theft is concerned, my email accounts are already single points for attack. Once you have the email, the password recovery services will do your bidding. A single-identity-solution allows you to just shift this from email to some server which was created to keep and handle this data. Whats more you could be the one setting up that server... (not in the ms case but in the case of openid).

So, on the whole, single sign ons can work and openid hopefully will. I dont even want to rtfa. If I cant decide who keeps my username password for my single signon, I am just not interested.

Re:How long

[Catil]

Thanks to the forgot-password-option every site offers, using a single email address to register to everything makes that email account already the weakest link anyway. With the millions of blogs and forums these days, however, that all require people to register and validate via email just to leave a comment, a "single sign-on system" is still a good idea. I guess secure critical sites like Paypal wouldn't cause a problem because they hopefully would never provide to login with such a system in the first place.
It's a pity that OpenID somehow doesn't take off as many expected and I don't think a Microsoft solution will either. Google comes to mind as one company that could probably do it successfully.

Why?

[PietjeJantje]

Why on earth would I want to, of all things, authenticate using a 3rd party propriety system from a vendor with proven business practices like MS? That seems like the very last thing I want to do. And I haven't even mentioned the outages, so your uptime depends on MS. What are you gonna do when that happens, call them? I have a much better idea, Bill. Why don't you use my unified login system. I've made a version in Visual Basic especially for you.

Re:It's much easier than that

[shutdown -p now]

You're a moron. How the hell did this idiot get modded up? Seriously?? The page you were served is http. The page you will post to for the login session https.

He's not saying that it doesn't use SSL to log in. He's saying that, as a user, he has no way to find it out until after he clicks "Submit" (and no, checking the HTML source code is not a serious option to consider). The convention for such things is that you use secure connection for the login form as well, so that the browser can indicate that it is secure (padlock icon, green or yellow address bar, etc - depends on the browser, but IE, Firefox and Opera all have such indicators).

Terms of Use

[giafly]

Ever intending to compete against a Microsoft product?

you may not: use the service in a way that harms us or our affiliates, resellers, distributors, and/or vendors (collectively, the "Microsoft parties"), or any customer of a Microsoft party ...

Care about money?

We may choose in the future to charge for use of the service. If we choose to establish fees and payment terms for such use, Microsoft will provide at least one (1) month advance notice of such terms as provided in section 18 below, and you may elect to stop using the service rather than incurring fees.

https://msm.live.com/app/tou.aspx [live.com]