The net is abuzz today about a scam application that is stealing people's G-mail account credentials. Or rather, the app is mis-using those account credentials when people hand them over to the application. Sound familiar? Yes, that's exactly the sort of issue that Windows Live ID Delegated Authentication is intending to combat. If I think about an archiver application for an online mailbox, then I would want to allow it to do this action on your behalf: Read a copy of each e-mail in your mailbox But NOT allow it to do these things: Send e-mail on your behalf Delete items in your mailbox Access any of your other data (Contacts, Calender, etc) apart from your mailbox So how does Delegated Authentication help in this case? Delegated Authentication is a way to permit access to personal information, but with more precise control over access and usage permissions than the current binary decision (that is, fully on or fully off) that comes with the generally bad practice of handing over your account credentials to another Web site. [ Delegated Auth Whitepaper ] In other words, if I were using this particular app, I would want to grant it something like a Mailbox.Read permission only, but not Mailbox.Write or Mailbox.Send or Calender.Read or Contacts.Read, and definitely not giving it my full acccount credentials. The core principles here are that people should scope the permissions they grant to an application to access their data in the cloud, and they should get out of the bad habit of handing over their account credentials (such as passwords) Angus Logan posted an impassioned statement showing why Live ID users should only even enter their account credential into their identity provider (login.live.com), which is a timely reminder to all Live ID users. We also took a very strong stance on this in the Delegated Auth Whitepaper: Only hand over your password and account credentials to your identity provider (for example, Windows Live ID), and to NO ONE else. Hopefully today's issue will act as a wakeup call to the industry and result in a very serious look at consent-based data access techniques like Windows Live ID Delegated Authentication... Read More...