April 5th, 2006

Why does Microsoft Passport suck?

Posted by Ed Bott @ 6:01 am

Categories: Microsoft

Tags:

The Microsoft Passport Network is supposed to be an effortless way to share a single set of logon credentials across multiple sites. Instead, it’s a colossal annoyance. Even Microsoft employees gripe about the inconsistencies and abysmal user experience of Passport.

How does Microsoft Passport’s sign-in process suck? Let’s count the ways:

• It keeps popping up, on just about every imaginable Microsoft website (and on a few selected non-Microsoft sites, too).
• It doesn’t remember your preferences. Even after you click the “Save my e-mail address and password” option, you get prompted to enter your logon credentials every time you visit a Passport-enabled site.
• It pops up when it shouldn’t pop up. It happened to me last year when I tried to follow links to articles in Microsoft’s Knowledge Base. Thomas Hawk complained about a similar problem earlier this week when he tried to follow a link to a post on the Windows Live Mail Desktop Beta blog (could they make that name any longer?). In both cases, we were using Firefox. Conspiracy theorists, start your engines.
• It’s from Microsoft. Although the Redmondians appear to have given up on their original grand ambitions of world domination via Passport, it still touches just about every Microsoft website that requires personalization or presence.
• It keeps getting new names. It started in 1999 as Microsoft Passport, picked up some .NET baggage in 2001, and is now about to be renamed, again: Windows Live ID.

Ah, but that last part may be Passport’s saving grace. Along with the name change, says Microsoft’s Trevin Chow, comes a commitment to rework the whole sign-in experience.

The issues aren’t trivial. A long post entitled "Microsoft Passport 101," written in 2004 by developer Julien Couvreur, described in detail (complete with flowcharts) how the Passport web authentication protocol works. Trevin Chow’s less detailed but earthier post from last month identified security as the number-one issue that makes Passport sign-in suck:

In order to have a secure single sign-on system, you simply cannot have one prompt for a login then be able to access any site. It sounds counter-intuitive, since that’s what "single sign-on" seems to imply. This would only be possible if every single website you accessed had the same level of security and data sensitivity. We all know that this is not the case, and instead, sites vary in the level of security needed to protect it.

[…]

Because of this varying levels of data sensitivity, each site in the Passport network configures what we’ll call their "security policy" which tells passport parameters to enforce during sign in which is supposed to be directly related to their data sensitivity — the more sensitive the information therein, the "tighter" the security policy.

Makes sense. As Trevin explains, the security and privacy requirements of a Passport-enabled site like Windows Live, which only stores your personalization information, are very different from those of the MSN Account Management site, which includes personal information and possibly a credit card number.

I think the biggest flaw in the Passport architecture is its use of redirects and cookies to manage the single sign-on process. Cookies may be mostly benign, but they still have real privacy implications, and the constant redirects to the Passport site to pass credentials back and forth create the perception – true or not – that Microsoft is adding new entries in your dossier.

If Passport – sorry, Windows Live ID – is to get a complete overhaul, the goal should be to make it unobtrusive and, if possible, almost completely invisible. In other words, make it not suck.

Microsoft is doing some fascinating work in the field of digital identity systems. (Check out the work of Kim Cameron, the company’s Identity and Access Architect, for more details about the proposed Identity Metasystem.) It’s refreshing to see that Microsoft has embraced the idea that identity management should be a secure, open, interoperable process that you control. It’s your identity, after all.