eBay Retires MS Passport Sign-In

fihzy writes "eBay have announced they will retire Microsoft Passport Sign-In and .NET alerts. The Microsoft Passport Directory of Sites has been discontinued, too. Is Microsoft's Single Sign-On vision edging towards oblivion?"

May I be the first to say...

[tajmorton]

Good Riddance to it!

well

[0xdeaddead]

On one hand its cool if you forget your ID, because you use the site infreqeuently... On the other hand do you trust Microsoft that much?!

Good idea with major control issues

[Donoho]

Is Microsoft's Single Sign-On vision edging towards oblivion?

It's been dead for a while, people are still cleaning up the carcus.

Good idea, bad implementation

[prostoalex]

The idea is not that bad - instead of thousands of sites and message boards requiring registration, login and confirmation of the e-mail, have just one single entity provide and verify the virtual avatar.

As a Webmkaster, I would like to have some simple authentication solution, so that the users dont have to register in forums and what not to post. However, the implementation is just unacceptable:

There are two fees for licensing Passport: a periodic compliance testing fee of $1,500 US and a yearly provisioning fee of $10,000 US. The provisioning fee is charged on a per-company basis.

Small sites who would benefit frim such service don't have $10,000 to throw around, and large sites, which do have the money, just will write their own username+password code.

nope

[Quasar1999]

Why bother to sign in to passport when each user will only run windows longhorn, and each user will have their own account, and the current active account can be queried by the website via some new fancy secure API initiative that will be in longhorn... thus forcing everyone to have to run longhorn in order to do so much as use ebay or amazon...

or perhaps I am suffering from wearing a tinfoil hat too much... but I think I might be on to something... replace passport with something directly tied to windows that users have no choice in, since their machines have unique ID's, as do their accounts... they will not be able to be anonymous on the web, and said info will be used to make browsing easier for average joe q. public, meanwhile identifying every user out on the web... really sneaky... ;)

Re:well

[bulliver]

Speaking personally, it's not that I mistrust Microsoft (which I do...) but rather I don't trust *any* password saving programs. Simply put, the more you trust these tools to carry your sensitive info, the more you give up your security and privacy.

Re:Yahoo's going strong

[prostoalex]

Well, MS has single sign-in within their MSN zoo, but the idea was outside licensing to sites like eBay. I am not aware of any Yahoo! implementations on the sites outside of its own.

Re:Good idea, bad implementation

[BrynM]

a periodic compliance testing fee of $1,500 US

I bet those periodic tests just became more frequent for the sites that are left. Geez! Why would anyone sign a contract with MS so Ms could charge you $1,500 whenever they felt like making sure you were compliant. I bet they fine you for not being compliant as well!

Bad idea, implementation irrelevant.

[Tackhead]

> The idea is not that bad - instead of thousands of sites and message boards requiring registration, login and confirmation of the e-mail, have just one single entity provide and verify the virtual avatar.

Bad idea, implementation irrelevant.

Instead of having to compromise each site (presumably on a semi-secure server), have just one single entity provide and verify the virutal avatar... based on data resident on a machine administered so incompetently as to have six types of spyware and four spammer worms on it because the underlying operating system is as secure as swiss cheese.

> Small sites who would benefit frim such service don't have $10,000 to throw around, and large sites, which do have the money, just will write their own username+password code.

...thereby saving themselves $10K, thereby limiting the damage from compromise to Just One Site, and thereby offering better security to the end user by accident.

I've lucky in that got a good "mind" for (secure!) passwords and have no trouble remembering dozens of them.

But even if I didnt... even if I wrote all my userid/password combinations on Post-It notes, a Post-It note resides in an area with reasonably secure physical access controls. Not so with a network-connected PC and a single-signon application.

Only Microsoft stuff is widely used

[Myria]

Passport does have a lot of users, but only for Microsoft stuff. MSN, Hotmail, and Xbox Live, all very popular, use Passport.

(Xbox Live's case is a little more complicated, but it does use Passport at its core.)

Melissa

Just goes to show...

[SteeldrivingJon]

Microsoft can trot out a list of companies participating in their latest 'innovation', but no matter how many companies sign up at the start, it really says nothing about the eventual likely success or failure of the system.

Too many people (especially pundits) see such a list and take it as irrefutable evidence that the thing in question is destined to take over the industry.

Hubris, thy name is Microsoft

[doodleboy]

Somehow Microsoft failed to consider that

1) with their record of bad faith toward their own customers and their ongoing security lapses, most knowledgeable end users would not trust Microsoft to manage their personal information, and

2) with their record of bad faith toward their own business partners and their ongoing security lapses, online retailers wouldn't relish the extra burden of sending a monthly tithe to Microsoft.

Luckily Microsoft makes bazillions off Windows and Office and can throw a couple billion here and there on various schemes--gaming, set top boxes, what have you. They know as well as anyone that the commoditization of operating systems and productivity software is underway and they won't be able to maintain their margins forever. If they don't find a cash cow soon they'll be forced to (horrors!) make less money.

One account for EVERYTHING... no thanks!

[turrican]

The thought of a single web-based logon for access to so many different entities kinda scares me... Especially once it spans across companies.

It's sometimes irritating to remember a number of different logons/passwords, and maybe I'm just paranoid, but I prefer the compartmentalization that separate logons brings.

Hmm... GoogleLogins anyone?

[WoTG]

The Passport concept was, and still is good. I never gave MS's attempt a real chance, because I was annoyed of programs like MSN Messenger and XP Remote Assistance bugging/requiring me to get an account.

Anyway, the idea of a simple username+passport system for the 99% of websites where we care about security "a little" does exist. I think Passport was overengineered. I suspect that a most people will NEVER trust their bank passwords to the same system that holds their Slashdot passwords. Without that level of security, a lot of the engineering and compliance testing and associated costs aren't necessary.

I would imagine that "all" that's needed is a big database, some public key system, and a client-side tool to fill in the login forms. It's not THAT tricky.

I'm imagining someone like Google being able to offer this with relative ease. The GoogleToolbar can handle the client-side for automatic logins, or each site can provide an alternate manual login form. Google can easily handle the distributed database and web services stuff. And the free publicity would be excellent - a lot of smaller sites already have Google Logos for their site search, adding one on the login forms is probably reasonable.

Re:I actually used it

[Osty]

On top of that I used their hotmail account to register for the Passport, since that's their recommended option. I never use Hotmail for my daily webmail, in fact, the only message I have there is a thank-you for signing up. The bozos from hotmail kept threatening me with turning off the account, and they did execute their threats every 90 days. So unless I remember to log in to the Hotmail account, which I never use, I lose my passport, and have to go through easy but still frustrating retrival system at hotmail.

You don't need to use a hotmail.com or msn.com email address to get a Passport. Any email address will work.

Bad idea anyway.

[AnotherBlackHat]

I don't want my password to be stored on a computer.
If I did, I would want it to be my computer.
If I didn't want it to be my computer, I wouldn't want it to be on a computer I had to pay for.
And even if I were willing to pay for the inconvience of having someone else be in control of my passwords, I wouldn't want that person to be Microsoft.

Passport was based on a flaw premise;
The reason we don't provide personal information to every site that asks for it isn't because it's too hard to type it in.

-- Should you believe authority without question?

Re:Edging into oblivion?

[killjoe]

Although MS has suffered from a lot of spectacular failures latelly, anything they do is in danger of becoming main stream. A monopoly on the desktop and office software is a tremendous weapon to wield against the rest of the world.

Re:nope

[killjoe]

What in MS history leads you to think that they would adapt a free and open source identity system? I mean have they adopted any standard without extending them?

Even if they did push for something like that do you really expect MS to follow their own standards?

Re:May I be the first to say...

[Anonymous Coward]

The ebay article doesn't give a reason for the retirement. Though lack of interest could be the obvious reason. There is also the possibility of ebay not wanting to link to their next major competitor. We all know that Bill get's up every morning and asks "W W W on the wall who is moving in on me owning it all?"

Re:nope

[skrolle2]

Why bother to sign in to passport when each user will only run windows longhorn, and each user will have their own account, and the current active account can be queried by the website via some new fancy secure API initiative that will be in longhorn... thus forcing everyone to have to run longhorn in order to do so much as use ebay or amazon...

That was actually EXACTLY the goals of Windows XP, it's integration with the .Net Passport, and the .Net development portfolio. Microsofts vision was that every windows XP account was to be tied to a .Net Passport which would require users only to log on to their computer, and then while visiting every other Passport-enabled website they would automatically and transparently be signed in, and all participating websites would automatically have access to aggregated user information about you through the centralized Passport system.

Be happy it failed. Be happy that users saw it for the privacy nightmare it was, and be happy that companies saw it for the information grab it was.

Re:Bad idea, implementation irrelevant.

[Qzukk]

Have a key stored on that card and encrypt the login information on the card itself, don't store any information on the computer itself.

This would have worked for about 30 minutes before someone would have modified a worm to spy on the smartcard-reading-process.

Re:Bad idea, implementation irrelevant.

[gad_zuki!]

There's no way I'm carrying a card around to log into some phpBB board.

Password managers are a pretty ideal solution. People tend to have a super-secret password for their bank account and crap passwords for noisy boards. My browser does a good job at storing them.

This is a solution looking for a problem more than anything.

They are bad

[david einstein]

The people at Microsoft are such bullies.. Now give me a bunch of points for being insightful or i'll beat the shit out of you. Now don't tell anyone we had this conversation

it's all about holding valuable keys

[Anonymous Coward]

This, and the new MS push for signed code as a way of supposedly achieving security (as on the XBox) is all about one thing: MS wants to find a way to own some really important crypto keys. If they own private keys that MUST be used in order for the world to continue functioning, then they get huge amounts of free money with little effort.

For example, take the XBox. To run code on it, you have to have your code signed by Microsoft. For this, they have a private key (whose matching public key every XBox knows). Now they control access to the platform, and if anyone at all wants to sell software that runs on the platform, they must go through Microsoft. And there will be a "small" fee for getting Microsoft to evaluate your code, determine it really is safe, and sign it (or issue a certificate that allows you to sign your own code). Just a nominal fee, not really huge, just enough to make all the people at Microsoft filthy rich.

So, Microsoft is already doing this on the XBox, and their plan is (I think) to spread this wider and wider. Passport failed, but XBox works, and they will at some point try to add this to Windows under the guise of better security (even though it's not -- the XBox has proven that one exploit that allows you to run arbitrary code lets you circumvent the whole system). The goal is to control authentication "on behalf" of other programs, because then you can force everyone who writes any software for the platform to give you money. (All the better if MS can use the RIAA's and MPAA's fears to get them to lobby to restrict individuals' rights to run arbitrary code on their computers.)

sol'n: EMAIL/IM passwords for each login

[majid_aldo]

email and IM; authenticate using them. this is happening already when you click "forgot password?" and the password is sent to your email. so, in effect your email password is like your only password. changing you email password is kind of like changing ALL your passwords.

why?
the only common communication channel on the internet is email and -a bit less so- IM.
eg.: each time you sign on to a site you can get a different password for each time you log in via email or IM.