Windows Live™ ID - You can (use it)!
Technorati Tags:
Windows Live IDI've recently been involved in several projects where Windows Live™ ID (WLID) was a very compelling authentication mechanism as opposed to classical & home made authentication. Of course with ASP.NET Membership feature, it is much easier to handle user authentication but still, you have to manage the login process, privacy, have to keep password safe, provide a service for forgotten password and have to consistently evolve as authentication vehicles evolve as well - here I am talking about SAML support, Windows CardSpace™ (CardSpace) support and potential federation with other Identity Provider.
In addition to this, Windows Live™ ID isn't only there for offloading authentication process out of your site. There are many other services you and your customers can benefit from adopting WLID.
I already talked about the most obvious one but think about how you could ease your customer's life by allowing them to use any existing WLID to sign-in to your site. I think your customer will love reusing the WLID they're already using to sign-in to Hotmail® or Live Messenger™ ... Ok, I can start hearing the crowd telling me about "what happen if my account gets Hijacked? all my accounts then will be vulnerable". Don't you think this is already the case right now? Let me open a small parenthesis and talk about password and Identity theft.
Last year, I was animating two sessions at Swiss TechDays, it was around Identity and how Microsoft is managing the change around Identity Management. I was surveying people during my talk about how many of them were actually reusing the same identifier and password each time they were about the register for a new account. The majority does, most of us are reusing, not only the same password (password fatigue) but also, if they have the ability to do so, the same identifier!
So tell me, why arguing that using WLID is a threat when people already do that in a bad manner? what is the alternative today? - Take a sheet of paper, write down your account and a VERY strong password. About the security question? if you can specify your own security question, then that's fine. If you can't, I guess today, most security questions are too obvious to guess. Indeed, with a quick research on the Internet, one can guess what is your mom's original name (using genealogic sites), or where you did spend your childhood (using your facebook or favorite social site) and can probably guess your favorite color (using a dictionary attack) ...
So, I close my parenthesis about Identity theft and come back to WLID. In my opinion, WLID isn't weaker than any other Identity Provider and using it for multiple site isn't that bad as well. In addition, you can even use different (2 to 3) Live ID for different purpose (as oppose to 100 different accounts) and last but not least, even provide VERY strong password you can't even remember (but write them down and put them in a safe place :-)) and use CardSpace for managing and presenting those accounts to sites that you use frequently. I.e have one WLID & CardSpace for your social networking, another one for buying stuff online and another one for Private Banking and high sensitive operations.
After reviewing how Windows Live™ ID can be a substitute to your home made Authentication mechanism, ease life of your consumer's account management and help the Identity Management becoming even safer using CardSpace, one additional benefit is the access to Windows Live™ Services and API given for every WLID account. Indeed, why using your own storage and building your own application programming interface (API) for offering community and social networking functionality when Windows Live™ is already providing it to you and your developers?
If you think Windows Live™ ID and Windows Live™ Services are interesting to have a look at and can help you (re) architecture your (new) web site, stay tuned for my next post where I will be describing all the different options available to you when it comes to use Windows Live™ ID.
