Browse by Tags

• Delegated Authentication or Delegated Authorization?

  http://www.thearchitect.co.uk/weblog/archives/2008/05/000498.html Read More... Posted Friday, May 30, 2008 2:00 PM from TheArchitect.co.uk - Jorgen Thelin's weblog | 0 Comments Filed under: Live ID

• First Law of Password Hygiene

  Since moving to a team that handles the user accounts for everyone who uses any of Microsoft's web property, I've started to take a much more informed look at how I use my own account credentials and which web sites and applications I hand over those credentials to. Angus Logan posted a great summary of the way Microsoft and Windows Live handles credential capture, which is worth a detailed read by everyone: No Microsoft web site will ask you for your Live ID credentials except login.live.com (and accounts.live.com when linking accounts). Any other web site which asks you for your credentials may not be evil.com but they could be sloppy coders or they could be hacked -- putting your credentials at risk of being stolen. This equates to the First Law of Password Hygiene: Only hand over your account credentials to your Identity Provider (for example, Windows Live ID),... Read More... Posted Sunday, March 16, 2008 11:49 AM from TheArchitect.co.uk - Jorgen Thelin's weblog | 0 Comments Filed under: Live ID

• The Need for Delegated Authentication

  The net is abuzz today about a scam application that is stealing people's G-mail account credentials. Or rather, the app is mis-using those account credentials when people hand them over to the application. Sound familiar? Yes, that's exactly the sort of issue that Windows Live ID Delegated Authentication is intending to combat. If I think about an archiver application for an online mailbox, then I would want to allow it to do this action on your behalf: Read a copy of each e-mail in your mailbox But NOT allow it to do these things: Send e-mail on your behalf Delete items in your mailbox Access any of your other data (Contacts, Calender, etc) apart from your mailbox So how does Delegated Authentication help in this case? Delegated Authentication is a way to permit access to personal information, but with more precise control over access and usage permissions than the current binary decision (that is, fully on or fully off) that comes with the generally bad practice of handing over your account credentials to another Web site. [ Delegated Auth Whitepaper ] In other words, if I were using this particular app, I would want to grant it something like a Mailbox.Read permission only, but not Mailbox.Write or Mailbox.Send or Calender.Read or Contacts.Read, and definitely not giving it my full acccount credentials. The core principles here are that people should scope the permissions they grant to an application to access their data in the cloud, and they should get out of the bad habit of handing over their account credentials (such as passwords) Angus Logan posted an impassioned statement showing why Live ID users should only even enter their account credential into their identity provider (login.live.com), which is a timely reminder to all Live ID users. We also took a very strong stance on this in the Delegated Auth Whitepaper: Only hand over your password and account credentials to your identity provider (for example, Windows Live ID), and to NO ONE else. Hopefully today's issue will act as a wakeup call to the industry and result in a very serious look at consent-based data access techniques like Windows Live ID Delegated Authentication... Read More... Posted Monday, March 10, 2008 7:52 AM from TheArchitect.co.uk - Jorgen Thelin's weblog | 0 Comments Filed under: Live ID

• Windows Live ID at MIX08

  After the announcement of the launch of the new Windows Live Platform enhancements, the new technology got lots of coverage in sessions at MIX08 last week. Here's the MIX08 presentation from Angus Logan covering the overall Windows Live Platform developer functionality, and heavily emphasizing lots of great Live ID technology. Windows Live ID Web Authentication is covered from 24:18 through 35:21 Windows Live ID Delegated Authentication is covered from 35:30 through 46:43 The 3D Virtual Earth geo-coding example around 59:00 through 1:00:29 is really cool too! Developing with Windows Live Platform http://sessions.visitmix.com/?selectedSearch=T29... Read More... Posted Saturday, March 08, 2008 5:00 AM from TheArchitect.co.uk - Jorgen Thelin's weblog | 0 Comments Filed under: Live ID

• Delivering Data Portability - Delegated Authentication SDK v1.0

  Today the Windows Live ID team released the Delegated Authentication SDK v1.0, which provides a platform-neutral way for Web applications to access customers' information from Windows Live services while the customers remain in firm control of their own data. This is a big step in delivering real, user-centric data portability - giving Windows Live customers explicit control over sharing their information from Windows Live services. Full details are on the Windows Live ID team blog and the Windows Live Developer portal Delegated Authentication SDK v1.0 blog posting Windows Live Platform Announcement blog posting... Read More... Posted Thursday, February 28, 2008 2:30 AM from TheArchitect.co.uk - Jorgen Thelin's weblog | 0 Comments Filed under: Live ID