Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others -- tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation.
To read all comments associated with this story, please click here.
Member since:2005-10-02
Member since:2005-12-15
Member since:2006-02-11
Do those third party sites actually get your password though? I would think they don't, they just use MS's service which validates your login. Your password would still be stored only with Microsoft, at least I would think. Otherwise you're right, it would be a big security risk.
Member since:2005-07-07
Member since:2006-12-06
The password is only stored with Microsoft the website can make calls to pull user information or if it is relative credit card information, color theme, also with this authentication you can add Live services to your website such as if you signed into osnews you would be able to access your email or contacts right in osnews without having to open a seperate Windows Live Hotmail window.
Member since:2005-07-01
There's lots of places where not having an extra password to remember would be a real boon, without being a major security risk. Web forums for one. Also, I imagine Microsoft's servers are more secure than anything this would replace (I can feel the flames..), and once your credit card data has been nabbed, what more harm can be done?
Member since:2005-07-06
Member since:2005-07-06
Member since:2007-02-22
If your password gets stolen, or your 'valid Live identification' gets spoofed, the end result is the same regardless.
Member since:2007-08-17
>> As far as I know, the sites that implement it never get your password. Microsoft simply tells the site that you are a valid live user.
What about Phishing? The website may say the password is going straight to Microsoft but how difficult is it for someone to setup a spoof site which accepts your username and password and then logs you in?
I am sure it is possible to over come most of the risk, however how do you train the users to spot phishing attempts?
Member since:2005-07-06
It could be more secure. People tend to reuse logins and passwords anyway - that way your identity is effectively only as well protected as the protection of the weakest link. Too often in the last years have I seen warnings on websites that they were hacked and someone made off with a userlist and unprotected passwords.
MS in this case is in the business of selling trust. Like a bank they offer a certain level of security and in turn you allow them to manage your identity (like the bank manages your financial identity.) It all depends what you prefer, all your money in the bank or hidden around your house under the mattras, in the sockdrawer, ...
Member since:2005-10-02
So far Microsofts Live ID has proven to be not particularly safe. Using Live ID (or any other such global ID) pretty much equals using the same login handle and password for all websites. Perhaps it is a bit safer than having a lot of identical login handles and passwords for a lot of semi-insecure websites, but global ID's are still less safe than different login handles and different passwords.
Member since:
2007-02-22
I can't think of a single person that thinks passing off their authenticion/personal information to a third party website is a good thing. If I want to log into site X, I am going to log into site X with my unique username and password, not through one central point of weakness.
Really, in this age of identity theft, they should know better than to be trying to promote this kind of technology.