One of the more thankless jobs at MSN Windows Live is to work on the Passport team. Many of the product teams that are customers of the service tend to view it as a burden, myself included. One of the primary reasons for this is that instead of simply being the username/password service for MSN Windows Live it is actually a single-sign in system which encompasses a large number of sites besides those owned by Microsoft. For example, you can use the same username and password to access your email, travel plans or medical information.

Trevin Chow of the Passport team has written a blog post entitled Why does Passport sign-in suck? where he addresses one of the pain points its customers face due to its legacy as a single sign-in system. He writes

Q: Why do you keep asking me to sign in over and over again even though I've checked "automatically sign me in"?  What don't you understand about "automatic"?!
 
One of the biggest problems with see in the network of MSN, Windows Live and Microsoft sites is that Passport sign-in is seen way too often by users.  It appears as if we are disregarding your choice of "automatically sign me in" and randomly asking you to sign in when we want with no rhyme or reason...
 
Passport sign-in 101
Passport sign in is based on cookies. Because HTTP is stateless, we have only 2 ways of persisting information across requests -- the first being to carry it on the query string, and second via HTTP cookies.  The first method (query string) isn't useful across browser sessions (open IE, close it, and re-open), which leaves us only option 2 (cookies).  Cookies are the mainstay of modern web sites, and allows very powerful personalization and state management.  Passport leverages this to provide the world's largest web authentication (aka sign-in) system in the world.
 
Passport first validates your identity by validating your "credentials" (email address and password combination) that you typed in on our sign-in UI.  Once validated, Passport uses cookies in the passport.com and the partner's domain (eg. www.live.com, MSN Money, MSDN) to vouch for your identity.  The cookies in our partner's domain act as assertions that you are who you say you are.    Because each partner site trusts Passport, the sign-in authority, assertions about a user's identity from Passport are also trusted by the partner.
...
After you sign into one partner site in the "passport network", users can freely go to subsequent partner sites and sign in. This is where the magic of Passport comes into play and single sign-on is achieved.  When you visit another partner site, and click "sign in" you are redirected to Passport servers. Because you already authenticated once to Passport (represented through your passport.com cookies), we don't need to validate your credentials again and can issue a service ticket for this new partner website.
 
But Trevin, you just said that "because you already authenticated once to Passport <snip>, we don't need to validate you credentials again...".  That clearly isn't the case since I seem to keep getting asked for my password!
 
In the last section, especially the last paragraph, I purposely left out some detail for simplicity. We can dive into more detail now that you have a better high-level understanding of the flow of passport sign-in.
 
In order to have a secure single sign-on system, you simply cannot have one prompt for a login then be able to access any site.  It sounds counter-intuitive, since that's what "single sign-on" seems to imply.  This would only be possible if every single website you accessed had the same level of security and data sensitivity.  We all know that this is not the case, and instead, sites vary in the level of security needed to protect it. 
 
On the lower end of the spectrum (least sensitive), we have sites like www.live.com, which is merely personalization.  In the middle, have sites like Live Mail, which has personal information such as email from your friends.  On the extreme end of the scale (most senstitive) we have sites like Microsoft Billing which contains your credit card information.  Because of this varying levels of data sensitivity, each site in the Passport network configures what we'll call their "security policy" which tells passport parameters to enforce during sign in which is supposed to be directly related to their data sensitivity -- the more sensitive the information therein, the "tighter" the security policy.
...
All our partner websites currently have a mis-matched set of security policies, each set at their own discretion of their team's security champ.  It's because of the inconsistent security plicies, you keep getting asked for your password over and over.
 
Wow, so this sounds like a tough problem to solve.  How are you going to fix this? 
 
Our team is absolutely committed to make the sign in experience the best on the internet.  To fix this specific problem, our team is moving to a centralized definition of security policies.  What does this mean? Instead of each partner website telling us the specific parameters of the security policy (such as time window), they instead will tell us an ID of a security policy to enforce, whose definition will be on the Passport sign-in servers.  This means, that by offering a limited set of security policies we limit the mistakes partner websites can make, and we will inherently have more consistency across the entire network for sign in.  Additionally, it gives us more agility to tweak both the user experience and security of the network since Passport is in total control of the parameters.

This is just one consequence of Passport's legacy as a single-sign in system causing issues for MSN Windows Live sites. Another example of an issue we've faced was when deciding to provide APIs for MSN Spaces. If you read the Getting Started with the MetaWeblog API for MSN Spaces document you'll notice that instead of using the user's Passport credentials for the MetaWeblog API, we instead use a different set of credentials. This is because a user's Passport credentials were deemed to be too valuable to have them being entered into random blog editing tools which may or may not be safeguarding the user's credentials properly.

I now consider identity systems to be one big headache based on my experiences with Passport. This is probably why I've steadfastly avoided learning anything about InfoCard. I know there are folks trying to make this stuff easier at Microsoft but it seems like everytime I think about identity systems it just makes my teeth hurt. :(


 

Saturday, 18 February 2006 16:39:28 (GMT Standard Time, UTC+00:00)
Do you really believe that not using the passport credentials for the metaweblog api solves the securtiy problem that a blog publishing tool might not treat those credentials with the necessary care?!? I am willing to bet that the vast majority of users will just use the exact same password for the metaweblog that they use for their passport account and nothing is gained. Pushing a security issue in such a way to users rarely solves it. You actually SHOULD have a look at InfoCard, since it has a really clever way of improving on the exact problems you describe. Keep in mind that InfoCard is NOT a new single sign on system or anything like that. It only provides a consistent user interface to pick credentials for different sites. Those credentials might be a passport account (although nothing about that has been said, but I would be VERY surprised, if that wasn't supported), or just a plain and simple method to reidentify someone. I would actually expect things to get easier for you guys with it... But just ignoring it certainly seems the wrong way...
David
Saturday, 18 February 2006 21:49:45 (GMT Standard Time, UTC+00:00)
Dare, i don't think it's necesarry to copy and paste *so much* of others' posts. snippets are ok, but entire posts or close to them is discourteous to others I think...not just my view - its a general netiquette thing.

Reminds me of a joke i know:

What's the difference between kinky and perverted?

Kinky is when you use a feather. Perverted is when you use the whole chicken.
Monday, 20 February 2006 11:57:00 (GMT Standard Time, UTC+00:00)
Probably the quickest way to see how to integrate InfoCard into a website is this blog post by Andy:

http://blogs.msdn.com/andyhar/archive/2006/02/20/535333.aspx

Essentially all you need to do is put a special tag into a HTML form element and you will get whatever credential you want back in the form POST request. As I understand it you can either just ask for something simple like an email address, a self issued identity, or (possibly) a security token from any other identity provider (like passport). No more redirects to passport websites or any of that crap, if I understand this correctly.

I guess the big question is whether Firefox and other browsers will integrate support for this...
David
Tuesday, 21 February 2006 17:09:47 (GMT Standard Time, UTC+00:00)
Dare,

You're right that Passport prompts are too prevalent, but it's nowhere near as bad as eBay or Amazon. Their sign-in systems really do suck in a big way. Maybe they have people as lucid as you and Trevin to explain why and I'm not hearing them, but for heaven's sake it's not that difficult within one site (OK many domains, I know, but still).

James
Comments are closed.