SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Lawrence, Kansas
    0 Post(s)
    0 Thread(s)

    Passport / Singal Signons for everything are a fundamentally BAD idea - discuss

    Once Passport has become the standard for sign-ins across the internet (as Microsoft are trying to make it) if someone steals your username and passport they can steal pretty much your whole internet identity. Stealing a password that you use for everything is extremely easy to do - in fact the very fact that you use it for lots of things will make you less careful with it in the first place.

    Experienced users might (just) be OK, but considering the majority of internet users use their pet's name as a password it doesn't look good...

  2. #2
    SitePoint Zealot Aonghus's Avatar
    Join Date
    Feb 2001
    0 Post(s)
    0 Thread(s)
    I wouldn't use Microsoft Passports on any of my sites - I would always insist that visitors set up their own accounts and passwords for each individual site. If I have reason enough to password protect something, I'll make sure it's done right. For this reason, I doubt the whole idea will catch on, as Microsoft want it to. There may be a lot of careless internet users out there, but not nearly as many careless web developers.

    As a matter of interest, how exactly do Microsoft want to implement this?


  3. #3
    SitePoint Wizard gold trophysilver trophy
    Join Date
    Nov 2000
    0 Post(s)
    0 Thread(s)
    First of all, think this topic should go in General Chat - effects everyone who's building for the web - not just the coders amongst us.

    It's a subject I'm real hot on, as I believe it threatens both individual privacy and more importantly, is a step towards closing the doors for new startup businesses on the Internet.

    First some facts and reading. As far as I know, there are two groups making a play for the single point of authentication.

    Microsoft with Passport and My Services (previously known as Hailstorm) are first, and are way ahead.

    The other with The Liberty Alliance, which is a group of other big companies like Sun, Sony, HP and Mastercard. They're a long way behind but have a few aces (like Mastercard) which might make them a contender.

    Now the first question you have to ask here is;

    Do we need this? Is it really necessary for people to have one login on the Internet, which gives access to all?

    For me there are a few advantages, but mainly in favor of big corporations.

    The two main ones that are being used to sell this concept to individuals are "Hey stupid user. You'll only need to remember one password. Won't that be great?" and "You'll be in control of your information!" (the push on My Services).

    The first - well that's hardly worth the price in my opinion. The second is you may be in control of some information, but you'll be giving away far more about yourself than you ever did before. Someone will know every site your visit, how long you're there for, when you're online (read messenger) and perhaps where, what you're online spending habits are and have a route to trace you on basically everything - what your global credit rating is and so on.

    For businesses, all that's great, and it may have some benefits for everyone. Things like online banking and payments can really take off, so it will be truly possible to work anywhere, any how. Businesses will have a greater degree of security - they'll be able to rely on the information about you and so feel happy to send you products etc.

    And probably this will lead us into true online "citizenship" and goverments. If you read the Liberty Alliance FAQ, they're already talking about online "Federation". Interesting stuff and probably, one way or another, it's inevitable. "Real" national governments are become increasingly superceded by corporations and "world" bodies (EU, UN, WTO etc.).

    All this is well and fine, but there's a big problem - as experience shows, the regional laws are usually 5 years behind the latest technologies, at best. So right now there are effectively no checks or balances on what's happening in this area. No one is fighting for the rights on the individual and essential, the groups / corporations pushing these technologies are free to do what they like.

    So far I've kept general. No lets get down to: Microsoft.

    Right now, they're way ahead. Everyone who signed up for Hotmail now has a "Passport", whether they know it or not. They've already got some big sites involved, including eBay (more here.

    Passport is an central authentication system for websites - one login - many websites, Microsoft in the middle. It's based on Kerberos and officially open source. But Microsofts implementation as new stuff written in which will only work on their authentication servers (so no one else can provide that service without a serious catch up on development).

    The main Passport site is . Right now it's free technology for your website, but Microsoft have already stated that that's not for ever.

    Getting onto My Services; it's basically a giant list to store information about you. You can login and maintain this information, and it's meant to help you with stuff like - you fly to a city you don't know - it comes up with Hotels / Cars etc. based on your preferences.

    Microsoft are saying up front they will charge for My Services in the white paper

    Microsoft will operate .NET My Services as a business. .NET My Services will have real operational costs, and rather than risk compromising the user-centric model by having someone such as advertisers pay for these services, the people receiving the value—the end users—will be the primary source of revenue to Microsoft. .NET My Services will help move the Internet to end-user subscriptions, where users pay for value received.

    Microsoft will also derive some revenue from developers to help cover the costs of the services and products they need. These charges will be minimized to encourage the broadest possible range of developers to build for .NET My Services, but the usual costs for tools and support, as well as some minimal costs for access to a live test environment, will apply.
    As it states "finding of your ideal hotel" is clearly going to play to those that can pay, which will be Hilton and so on, rather that small operations.

    Then combine the "some revenue from developers" with the cost to use Passport on your site (that's coming soon, once they're the default authentication system) and you've basically got to buy in before you can even put your e-commerce site online.

    The fees will no doubt be assumed to be reasonable by MS, but we'll probably be talking reasonable the way paying Verisign $300 for a certificate is reasonable.

    Microsoft say on the Passport site that they won't be using it to store information about your customers - they'll only have email and password.

    Setting the Record Straight
    Unfortunately, there is a lot of confusing information circulating about Microsoft Passport. Some highly vocal competitors are spreading inaccurate or outright false statements about the integrity and features of the .NET Passport services. This section is meant to provide you with the facts and help set the record straight.
    Participating sites store their own information about customers.
    Participating sites do not send any data to .NET Passport nor does .NET Passport have access to data stored in participating site databases. The relationship between the participating site and the customer belongs to that partner site. .NET Passport is simply a technology that helps enable participating sites to provide authenticated, user-centric services to end users and enables end users to move seamlessly from participating site to participating site without having to remember a different user name and password for each one.
    Now that's true in that your site only sends Microsoft the email and password. Whatever happens at your site such as purchases and so (although MS are offering a shopping cart to boot ) is private.

    But here's what MS isn't saying. First they'll know who all your customers are. Then they've got a ton of personal information in My Services, and further help with identification, curtesy of Messenger.

    If you put up an auction site for example, using Passport, do you trust Microsoft not to sell your customer list to eBay, a "gold partner", who then spam all your members with better deals? There's nothing to stop them, except they're own honor. And hey - that would just by My Services doing a good job - you're in control after all.

    Microsoft aren't having it all their own way. Hailstorm has had to be partially shelved (see here, but expect to see it around in other forms in the not too distant future.


    .NET Passport and the Liberty Alliance Project are not mutually exclusive.
    .NET Passport is a proven, Internet-scale authentication solution that has been in operation for more than two years. The Liberty Alliance Project was created to develop base specifications for future authentication implementations. Microsoft announced plans for interoperability (federation) in September 2001, before the Liberty Alliance Project was formed. Microsoft supports many of the same goals as the Alliance (such as the universal SSI model for federating trust) and regularly communicates with alliance members to determine the best role for Microsoft in this effort. For Microsoft, the main goal is to solve problems for customers. It is impractical, from a technical and business perspective, for any one company to "own authentication" for the Internet, and that has never been .NET Passport's goal. Microsoft believes that federated authentication and broad industry participation in an Internet trust network is key to bridging the islands of authentication today.
    Corporations should not be running this operation full stop, in my opinion. This should be handled by Non Profit, fully regulated organisations.

    Anyway - there's loads out there to read about Passport / My Services and more and it's something everyone should look into themselves and get informed.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts