, 2005-01-10
Microsoft can save its ailing authentication service, but only by scaling back its expectations on what kinds of accounts Passport is fit to secure.
Expand all |
Post comment
|
Stamping Passport
, 2005-01-10 Microsoft can save its ailing authentication service, but only by scaling back its expectations on what kinds of accounts Passport is fit to secure.
Expand all |
Post comment
|
|
|
Privacy Statement |
the lazy (or just not clued in) end users will simple use the same (probably rediculously simple) password everywhere, and most likely tell thier web browser to remember it,
and the people who care about thier personal data (especially authentication info) will want to control it even if they use a convenience agent (example, firefoxes password manager or osx keychain) when they can back up such a thing. this would work on all web sites weather they used passport or not.
this leaves something of an inbetween market. said user wants to take some level of precaution, and have thier authentication accessable from anywhere, but is not concerned with hostile client software (bugged computers etc) possibly because the data on passport is not sensitive (NY times login) and/or they simply dont think theyll even encounter such a thing. (the carefull users who use multiple computers would copy or re-enter thier info between the few trusted systems)
in the latter case (they dont think theyll encounter such a thing) said users been living under a rock (malware, hardware keyloggers etc), but is at least making some effort. the former case (non sensitive data), is, i believe, passports majority of market outside of microsoft itself, and what the author seems to be referring to.
for this, the site admins have to go through expensive hoops when they can simply make a name / password table in whatever database theyre probably using anyway? not to mention having a remote point of failure... even if the passport service is highly reliable, why have one when it bring no benefit? for most of these sites, like NY times, theres no point in having a non obvious password anyway.(1)
passport was intended to be used for ecommerce and similar transactions. (where it would make sense to have a trusted third party, especially if the vendor had not established a good reputation) and in that, it was a failure for the reasons already mentioned. today, theres not alot going for it either. the promise of single sign on to the web is moot. it already exists in several forms.
even microsoft seems to have resolved themselves to this. it will be like yahoos single sign on to thier services.
(1) why yes, we all live in beverly hills, nabraska and make over $100,000 usd selling shoes...
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/290/29908#29908