Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation.
Microsoft Opens Up Windows Live ID
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Hands done, this is a pretty neat offering.
Hands done. just the rest of the body to go.
I can’t think of a single person that thinks passing off their authenticion/personal information to a third party website is a good thing. If I want to log into site X, I am going to log into site X with my unique username and password, not through one central point of weakness.
Really, in this age of identity theft, they should know better than to be trying to promote this kind of technology.
Good point.
I’ll pay that. Good point really. I still think it’s neat they’re offering it though.
Do those third party sites actually get your password though? I would think they don’t, they just use MS’s service which validates your login. Your password would still be stored only with Microsoft, at least I would think. Otherwise you’re right, it would be a big security risk.
It is a terrible idea to store a password. Much better to store only a representation, such as an MD5 or SHA1 of the password.
Actually, I prefer encrypting data solely owned by the owner, with the owners password.
It depends on the data. Often the website system has to be aware of the content of the users data (when they aren’t logged in) in order to work.
Actually, you’re about 3 years out of date. SHA1 and MD5 passwords can be guessed using Rainbow codes. You should encrypt a password hash, or use some other, private obfuscation method to prevent rainbow cracking.
The password is only stored with Microsoft the website can make calls to pull user information or if it is relative credit card information, color theme, also with this authentication you can add Live services to your website such as if you signed into osnews you would be able to access your email or contacts right in osnews without having to open a seperate Windows Live Hotmail window.
There’s lots of places where not having an extra password to remember would be a real boon, without being a major security risk. Web forums for one. Also, I imagine Microsoft’s servers are more secure than anything this would replace (I can feel the flames..), and once your credit card data has been nabbed, what more harm can be done?
As far as I know, the sites that implement it never get your password. Microsoft simply tells the site that you are a valid live user.
Where is the weakpoint?
The Live part?
If your password gets stolen, or your ‘valid Live identification’ gets spoofed, the end result is the same regardless.
Right. How is that any different from your password getting stolen for any specific site?
There’s a huge difference between having the same identity on all sites and having different identities on all sites.
The biggest flaw in having one ID mechanism is having one ID mechanism.
EDITED: Ought to add that having your cross-site ID stolen means your ID is stolen for all sites using that mechanism whereas using a non cross-site mechanism leaves you with a more fragmented but also safer solution. Only the site where your login handle and password is broken will be unsafe. All the others will be safe (if you have remembered NOT to use the same password for all sites
Almafeta is quite right on this issue (did I really write that!?) and me agreeing with him is more rare than me agreeing with you
OpenID suffers from the same problems, because they stem from the nature of such global solutions.
Edited 2007-08-17 16:21 UTC
Problem is though, that we’re human and the majority of us will not remember 20 different passwords for the sites we go to on a regular or occasional basis.
Most people I know use the same 3 or 4 passwords all the time. But then some sites let you create a username while others want your email, etc… It becomes hard to keep track of that stuff.
So on a practicality point of view, MS’s initiative is a good idea.
On a security point of view, I suppose you have to decide if you prefer Microsoft’s site to have your information and let sites you authorize access it on a need to know basis, or if you want a multitude of sites have a subset of your information.
Quite frankly it seems there’s no ultimately secure option other than not giving your information to anybody. Because in the end you have no way to prevent some dude working for some website you shop at from getting his laptop stolen from his car with a backup of the site’s database on it…
And as for MS’s possible hidden agenda in doing that. I suppose it’s another way to gather marketable stats about what people do and like so you can better target your advertising.
If I set up my own Open ID server, I could assign one set of login credentials for Site A, another for Site B, and yet another for Site C.
If someone was able to break into Site B’s database server and siphon off the credentials of all Site B’s customers then my credentials for Site A and Site C would be unaffected. However, if I was like John Doe and only used a single set of login credentials for every site I used it would be a major issue as all sites I used would be affected.
Would I personally use MS’s authentication system? No – I can fully understand why plenty of other people would though. Proper security is a fine ambition, but if it’s not simple enough for the public to use it then it’ll be rendered virtually useless.
>> As far as I know, the sites that implement it never get your password. Microsoft simply tells the site that you are a valid live user.
What about Phishing? The website may say the password is going straight to Microsoft but how difficult is it for someone to setup a spoof site which accepts your username and password and then logs you in?
I am sure it is possible to over come most of the risk, however how do you train the users to spot phishing attempts?
What about Phishing? The website may say the password is going straight to Microsoft but how difficult is it for someone to setup a spoof site which accepts your username and password and then logs you in?
That’s a completely separate problem that can’t really be addressed with this.
You shouldn’t login to a site you don’t trust. If you go to a site that is spoofing a site you DO trust, you have bigger problems.
It could be more secure. People tend to reuse logins and passwords anyway – that way your identity is effectively only as well protected as the protection of the weakest link. Too often in the last years have I seen warnings on websites that they were hacked and someone made off with a userlist and unprotected passwords.
MS in this case is in the business of selling trust. Like a bank they offer a certain level of security and in turn you allow them to manage your identity (like the bank manages your financial identity.) It all depends what you prefer, all your money in the bank or hidden around your house under the mattras, in the sockdrawer, …
So far Microsofts Live ID has proven to be not particularly safe. Using Live ID (or any other such global ID) pretty much equals using the same login handle and password for all websites. Perhaps it is a bit safer than having a lot of identical login handles and passwords for a lot of semi-insecure websites, but global ID’s are still less safe than different login handles and different passwords.
We already have OpenID. Isn’t it trustworthy or useful enough, and already used at many websites (like Livejournal)?
Of course it is. Alternatives are obviously an evil thing.
I would like to think that eventually Microsoft will be able to work to make the two ID standards communicate together like they did with Yahoo reguarding IM clients
They’ll do part of that—they’ll make WLID an OpenID provider. Everyone will get name.passport.com or something as their OpenID.
Will they ever let you sign up and log into Hotmail or Messenger with an OpenID, though? Not a chance in hell.
Here is one opinion about OpenID:
http://miksovsky.blogs.com/flowstate/2007/08/openid-great-id.html
Great link for someone unfamiliar with OpenID. Thanks.
This gives every Hotmail, MSN and Windows Live user a easy way to sign into a site.
I know some people try to avoid MS related sites but there are alot of users that have a ID already (160 million and that was in 2001)
for example this can be used for requesting information from a small businesses website that is hosted on pretty much any operating system so the user will not have to fill out a long form or credit card information. or even web applications so you can save your settings without a cookie
http://www.openid.net
Q1: What is OpenID?
OpenID is an open, decentralized, free framework for user-centric digital identity.
OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.
The first piece of the OpenID framework is authentication — how you prove ownership of a URI. Today, websites require usernames and passwords to login, which means that many people use the same password everywhere. With OpenID Authentication (see specs), your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider).
To login to an OpenID-enabled website (even one you’ve never been to before), just type your OpenID URI. The website will then redirect you to your OpenID Provider to login using whatever credentials it requires. Once authenticated, your OpenID provider will send you back to the website with the necessary credentials to log you in. By using Strong Authentication where needed, the OpenID Framework can be used for all types of transactions, both extending the use of pure single-sign-on as well as the sensitivity of data shared.
Beyond Authentication, the OpenID framework provides the means for users to share other components of their digital identity. By utilizing the emerging OpenID Attribute Exchange specification (see specs), users are able to clearly control what pieces of information can be shared by their Identity Provider, such as their name, address, or phone number.
Today, OpenID has emerged as the de-facto user-centric identity framework allowing millions of people to interact online. With programs such as the I Want My OpenID Bounty, developers of Open Source projects are rapidly adding support for OpenID in order to enable their communities.
2. Who owns this?
Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.
Edited 2007-08-17 06:07
Or *shock* Project Liberty!
Not to sound completely redundant, but there is already one setup with major backing – why re-create yet another technology simply to ‘stick it to the man’?
Frankly, I think that centralized authentication is a *horrible* idea. But it is something that people *will* buy into. When security and convenience collide, convenience will win, hands down.
Microsoft’s offering is a given. I hope that everyone else can get behind one other “solution”.
After the slaughter that will likely result from everyone’s identity being stored in one place… the web will likely rebound back to everyone having their own auth mechanisms.
Hence the reason why Project Liberty is actually gaining traction over Microsoft’s – because it is federated; those who have the information can control what information is shared. It also allows the end user to control what is shared.
Like I said, the specifications are there, the problem is, there is a giant grab to get the technology to allow control over the information centrally – from what I see, it has nothign to do with competition and everything to do with many vendors wanting to control all the information. Neither are going to win major commercial backing if that is ultimately the approach taken.
There has been many “slaughters” in the past, people got their credit card numbers stolen, their email read by unauthorized persons and even deleted. That changed nothing and never will. As you said, when security and convenience collide, convenience will win, hands down.
As far as security is concerned, nothing stays in a way of centralized authentication.
As long as you have your web hosted, you are at mercy of providers personnel anyway, they can sell your data, or simply be sloppy with basic security.
Reliability is another problem. If ID provider is unreachable, your web is not accessible.
I choose not to use Microsoft products at home.
I have to use some of their software at work, but so far that has not required me to give Microsoft any personal details.
If I decide to load up a site like this one for example, and the site asked me for my Microsoft ID, I would leave the site and never re-visit.
I did of course register for this and other sites, but, if site designers take the lazy way out, and expect someone else to do the validation etc for them, how long is it going to be before Microsoft IDs can only be used with Microsoft products ?
.. to load up a site like this one for example, and the site asked me for my Microsoft ID, I would leave the site and never re-visit.
Man don’t give them any personal info, just create a bogus hotmail account with fictional name etc. and use that.
Just because they ask for your info dosen’t mean you gotta be honest.
“””
“””
Because, as we all know, dishonesty is the best policy. 🙂
Has the Internet made us all this nasty, or has it simply exposed us for what we are?
Edited 2007-08-17 18:38
Because, as we all know, dishonesty is the best policy. 🙂
I think of it more as protecting yourself from spam and the possibility of identity theft. The less of yourself you *put* online the less of a chance you’ll have problems later.
Has the Internet made us all this nasty, or has it simply exposed us for what we are?
Companies have conditioned this behavior through the selling of our information and the constant bombardment of advertising.
There is nothing nasty about protecting yourself or ‘opting’ out of possibly marketing by entering incorrect information.
What reason should someone need my home address when all I want to do is sign in to a forum on the net? None that I can think of!
🙂
Ha! Is all I can say. Microsoft in re-active mode again.
Passport has been languishing for _years_. So much that many sites that had originally signed up, dropped it (eBay for example). Now that OpenID is starting to appear on the web, Microsoft about-face and declare their standard “open” too!
why it is necessary? i do not understand
http://prevedgame.ru/in.php?id=20508
All things considered I think for anyone wanting to boost there user-base, or anyone just starting out, it is a great idea, access to a big member base right from the start, one thing on the table from Microsoft which isn’t bollocks.
MS can’t even make it work consistently across their own sites. Logging in to MS Connect can take a long time–usually with the system message “waiting for MS Passport”. Or when trying to login to Technet…”Sorry, Passport service not available, try again later.”
I just can’t imagine this spreading far.
I’ve been using password/live for a while on various sites with no problems.
The only time I have seen Passport take awhile is when Microsoft did a new drop in the Vista beta where you have 10,000 kids all pressing F5 at the same time to get it first. And even with that their servers still hold well.
The real problem here is spam. Now every site that you go to that has Live will have your mail address. I dont want to use the same user name that my email address uses. That way i avoid a lot of the spam. Plus hotmail is horrible at spam detection.
Hotmail spam detection is not about preventing spam but about forcing website owners to pay $1000s subscription to some whitelist.
so MS can tell what sites you visit what groups you belong to etc. And possibly SELL that information to others or use it for their own dasstardly deeds. I choose OPENid. So when will osnews be using openid?????
Edited 2007-08-17 21:15
“I still don’t know the market” So they say.
Nice, so now if I use this for access to a system for my company, and forces everyone to use this. That could be a good thing, I only have to control the email-addresses for access, never passwords and that stuff. Great.
And if I log every username and password for debugging, I suddenly have access to 200+ Hotmail accounts. I also have access to every other service that uses this auth, if I only know which ones.
The last one is a really good reason for not using this, and I am not bashing Microsoft for this.
Yahoo also already has a scheme in place that sites can leverage for global ID, most probably much like what MS is offering.
Is Project Libery gaining any traction in the consumer space? I know they have the technology, but I don’t know of any one providing centrailized services, or public, rather it seems more that enterprises are using it for internal systems.
The problem with OpenID is that not everyone has a web address, so that doesn’t work for Ma and Pa Hatfield.
Also, there’s no reason that a centralized system need give ANY personal information beyond a unique ID, and the unique ID can be specific to the user and the client site (so on xyz.com, I’d have unique id 1234, but on abc.com it would be 4567). The user at the ID server can be used to selectively provide personal information as needed.
And any interchange between client and ID server would all be authenticated through keys and what not.
So, with a solid system, the client sites have no direct access to any personal information, any information regarding shared sites (other sites the user has used, for example), etc.
However, the central ID server WOULD be able to track that information, as it has to respond to all of the requests. So, there is some centralization of traffic data, at least login data, but it could be constant data.
Finally, a central ID server need not necessarily support Single Sign On — that could be up to the client site whether it wants to particpate in that or not.
To be honest, as ASP.NET developer, this is pretty unuseful to me. It’s not integrated with ASP.NET infrastructure so it needs hacks.
I would have expected more from Microsoft. Hope there will be an *usable* Live ID SDK 2.0.