"I'm sorry, what!? How can you possibly think that having a single point of failure for numerous sites is better than having multiple points of failure for single sites?"

One point is definitely more secure than multiple points *if* you're using the same username/password pair on all the sites. Passport needs to be broken in the first case, whereas *any* of the other sites need to be broken in the second, think multiple highprofile (non-tech) websites, a couple of forums, slashdot, a few backwater special interest sites - any of those go individually, the whole lot go. Believe me, your username/password pair will be put into a crackers dictionary and tried against all the usual subjects (amazon, ebay, hotmail) as well as any other site the cracker's interested in.

I don't know if it's true, but passport, being from microsoft, smells like you'll need microsoft servers to make work (IIS, Win2k, Active Directory, etc). Can you make use of a passport login on your basic website running LAMP? If not, that's another barrier to entry.
There's also the dirty tricks worry - that passport will only ever "just about work" with non-microsoft clients, with only microsoft clients being able to make full use of any new features.
What about liberty alliance? This sounds like a much better solution, but I hardly ever hear anything about it. And that at some point it will be politic for microsoft to outright break some product that competes in a different market.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/290/29904#29904