.NET Passport
Passport User ID (PUID)
- 64 bits
- Unique
- Linked to user's passport (i.e. same value every visit)
- Transferred encrypted.
- Individual Sites can ask for a Security Key if simply being logged in as
the correct user (i.e. the PUID) is not considered secure enough. A Security
Key is a four character value.
Operational Info
Legal Stuff & Registration Requirements
Companies using Passport have to have a privacy statement of acceptable level
to use the Passport service. Haven't seen a definition of "acceptable level".
MS does not "mine" user info or track click-through information. They do
however collect aggregated information about the number of users by attributes
such as gender, age or region.
Users cannot refuse e-mails from MS about passport (i.e. service updates and
surveys). That said, you don't have to reply to the surveys (and I've never had
one).
Sites must agree to:
- Only to use information from the .NET Passport to supply goods and
services the user has actually requested
- Not use information from the .NET Passport to contact the user without
having previously obtained the user's consent
- Not share the .NET Passport Info with other sites, except where this is
necessary to complete a transaction (for example, a site probably has to
supply the user's name and address to a 3rd party parcel delivery company) and
the 3rd party must confirm to a long list of requirements (privacy policy
etc.). It is acceptable to supply the PUID (and only the PUID) to another .NET
site.
To register, you must supply:
- E-mail address
- Password (6 chars+)
or, if registering on a mobile device:
- Mobile Phone number. Mobile device users can use this in place of the
e-mail address when signing in (being easier to enter on a numeric phone
keypad).
- Mobile PIN (6 to 16 digits). Mobile device users can use this in place of
the password when signing in.
Additionally, you can record the following in the passport as well (anything
else, the individual site has to store outside of passport and (presumably) link
by the PUID):
- Accessibility Options
- Date of Birth
- Country / Region
- First Name, Last Name
- Gender
- Iccupation
- Postal Code
- State (!)
- Time Zone
XP Integration
Required to use:
- Messenger
- Remote Assistance
- MSN Explorer (yuk)
Nag screen / bubble goes away after 5 connections / refusals.
XP can log you into Passport automatically (if you want)
.NET Passport Express Purchase Service
When the Express Purchase button is clicked the user is redirected to a
https:// address on a MS server. Here they can sign into passport (if they
haven't already), then select the billing and delivery address information
previously entered. This information is sent back to the merchant's website and
the user re-direct back.
Kids .NET Passport Service
Supports the American COPPA (Children's Online Privacy Protection Act).
Parents can set a consent level ("Deny", "Limited" or "Full") that controls a
site's ability to access information about the child.
Cookies
Passport creates 3 cookies:
- Ticket
Contains the PUID and a timestamp
- Profile
Contains the user's .NET Passport profile
- Site
Contains a list of sites to which the user has signed in
Misc
- Signing Out
Signing out of passport deletes all the (passport) cookies from all the
(passport implementing) sites visited during that browser session. No idea how
it does it, something to do with IMG tags and redirects.
- Passport.com
The site to visit to update your passport account. This site also contains a
list of participating sites (probably an incomplete / cherry picked list. It
doesn't say.)