MS Passport - What are they thinking?

Note - this is a rant I've had for a long time, not a response to anything new.  You can learn more about Passport here and here.  To get right to the chase, here's the part I think is ludicrous and detrimental to Passport ever getting any market share:

There are two fees for licensing .NET Passport: a periodic compliance testing fee of US$1,500 per URL and a yearly provisioning fee of US$10,000 per company. The provisioning fee is charged on a per-company basis and can be applied to multiple URLs. For example, if your company uses .NET Passport on three distinct URLs, you would pay one yearly fee plus the periodic compliance testing fee for each of the three URLs. This entitles your company to unlimited volume use of the .NET Passport service at those URLs.

This pricing model is absurd.  Microsoft has been totally unsuccessful at getting businesses to adopt and use Passport for a variety of reasons, not the least of which is its spotty security record and the fairly hefty amount of work required to implement the system.  They've done a great job of getting end users signed up, but without some businesses using it outside of Microsoft, it's not terribly worthwhile.

I am in love with the idea of Passport.  I hate the fact that every site I go to requires a different format of username and password.  I'd love to be able to just click "sign in" and use a single-signon service like Passport to securely allow me access.  I'd love to not have to type in my street address when I buy something if I've said it's ok to share the information.  These are all good things from the end-user perspective.

As a website developer, I love the idea of Passport.  I have a bunch of different sites with separate back end databases and user stores.  I'd love to be able to use a Passport ID to uniquely identify users regardless of which site they're in, and to allow them to bounce between sites and/or applications within a site (e.g. the ASP.NET Forums which use a totally separate authentication scheme from what most sites have) without having to sign in more than once.

Here's the rub - nobody is going to pay $10k/year + $1500/URL for a login control.  They're just not that hard to build yourself.  If anybody wants one in .NET, I have a complete N-Tier implementation of user registration/login/logout as a sample application here (bottom of page, "NTier Sample App w/Unit Tests".

Large organizations like banks and such already have authentication systems in place at this point - they've had to build them by now, so it's not like Passport is saving them any work.  The benefits are marginal and far outweighed by the security concerns that plague Passport.  They're not going to jump on Passport for $12k/year, unless it's MS paying them $12k, not the other way around.

Small shops who are building new applications and sites would benefit from a packaged, ready-to-go authentication system.  Passport would be a good fit here, but again, the price is totally insane.  I'm talking about sites that pay less than $100/month for shared hosting, of which there are thousands.  The developer resources for these organizations are usually stretched to the limit already, as are their budgets for IT.  A cheap version of Passport would probably be welcomed and would provide MS with a lot of market share, but the current price scheme will never see that happen.

I've talked about this with many different Microsoft employees, none of whom are on the Passport team.  Nobody I've spoken to thinks the current price scheme makes any sense.  On the off chance somebody from that team sees this, I'd love to hear their side of things.  Maybe I'm wrong and Passport is flying off the shelves and making MS millions, but I don't see it at any of the sites I go to unless MS owns them.

 

11 Comments

  • I 100% agree that the feature of "Single Sign On" is a very cool, and it's really convenient and simple for end-users, and web site developers as well.


    I saw many presentation about implementation and overview/mechanism about how Passport work, but I rarely see large cooperation (like bank in your example) would stick with it.


    eBay.com is an obviously example, where they have n (millions) members and she has her own user storage/authentication system, but it is also Passport-enabled.


    I'd appreciate MS or MS-partners will go in this way.

  • I agree that the price is insane. Who the hell came up with it?





    The only reason I have heard about the motives for this price is that MS is afraid about stability / security and isn't ready to put this stuff out in the open, so they price it so high that only a select few people can use it.

  • A while ago, I was testing the Passport SDK for a book. The installation failed oddly, but always worked the second time you installed it. It was repeatable, and I went to multiple folks I know at MS, as well as the link to support for Passport, and got no explanation.





    I love it when it is used on sites, but as a developer, I do not think I could convince anyone to love it that much (12K worth, at least). I would also love to have a version I could use entirely internally (deploying my own redundant servers) at a large client of mine. It would be cool, but in the end, I ended up creating a good user database internally, exposed as a Web service for non-.NET systems...

  • I also like the idea of the Alerts, but the cost is extremely high for those PLUS we'd have to sign up with Passport.





    Sigh...

  • Just FYI Steve, I applied for passport for a one man company web site a couple of year ago, just to see what they sent me.





    Along with the package came the surprise that they wouldnt charge the published fees for the first year.





    In fact, the wording implied to me that it was possible that the pricing quoted is just a 'front' and that small sites making limited use of passport would get it for free indefinately.





    Of course I agree that they should be more open about it. ;-)

  • I wouldn't be surprised if James is right - the eBays of the world are going to be expected to pay "absurd" rates, but I doubt that they'd hold non-profit and small sites to the same standard.





    Actually - maybe I'll give this a shot. I have two non-profit sites I'm moving over to ASP.NET and I would love to be able to use Passport.

  • Still, it'd be nice if the 'official' prices were more reasonable. Maybe $1 per user per year for the first 500 users, plus some arbitrary low verification fee, with decreasing cost/user/yr after that, and then a high flat fee at some point for when your company is in the Amazon.com range.

  • Although I don't have any specific knowledge about the licensing specifics for Passport, here are a couple thoughts:


    - what would you think is the maintenance cost of a high traffic site like Passport?


    - how much is it worth to a merchant to make it easy for millions of users to come to their site?


    - how much does it cost for Passport to test the compliance of the partner sites, and support their implementation effort?


    - how much value does a small site (not ebay ;-) bring to the "Passport network"?





    I would personally love to have a single signon offering for the community sites I go to (slashdot, kuro5hin, ....) but I can understand how Microsoft hasn't gone into this buisness.





    Somebody mentioned the need for a solution for internal use in companies: I believe that you can use existing solutions for this: domain authentication on the MS side, LDAP on the Linux/cross-platform side. There may be even better solutions than these, and I would defintely check out perl.org's new SSO solution when they post more info about it.





    Cheers


    Dumky

  • Dumky,


    Thanks for the response. My thought is that Passport is that the value of passport to the user is directly proportional to the number of sites they can go to and expect to be able to use it. While it's great that so many passport accounts exist, the truth is that they are not being used very often, because very very few sites use passport (ebay is the notable non-MS exception). Since passport will be a gateway to other "my services" like Alerts, etc., it is in MS's best interests to get people using them. So just as MS spends a lot of money on free tools like IE and MSN messenger, they could also spend money hosting Passport since it will mean more revenue in the long run once they leverage their user base for other services.





    1) no idea what it costs to run passport, but i know they're not making it up in licensing fees today since nobody is buying the licenses (that I see - if ebay is the only one, that's $12k).





    2) Depends on the merchant. If the site is a small site like www.aspsmith.com or www.richtextbox.com or even www.softartisans.com as opposed to www.bankone.com then not nearly as much as the license fee. And it's not easier for the users to come to the site, only easier for them to sign in.





    3) I'm sure compliance testing is expensive, as is support. Of all the arguments, I find this one the most compelling. However, I think the compliance checking could probably be streamlined to the point where it took someone familiar with the process less than an hour per site, and this could easily be done offshore by someone for $10/hr. So if we drop the price down to say $100 we're more than covering that cost.





    4) Every non-MS site adds value. Every individual has a different set of sites they go to. Certainly some are more important than others - Ebay, Yahoo, Amazon, CNN, etc. I think the real question should be, what % of the market does MS want? Let's say I go to 20 sites per month that require me to sign in. Right now maybe one or two of those uses Passport. Is that acceptable to MS? I think they'd much rather that number be at least 50% and closer to 80% (100% is of course never going to happen).





    I agree this isn't a free service from MS's end. And I agree that expanding its scope would increase its costs. However, I think currently they're way way on off the optimal point in the supply-demand curve, and that they could get more revenues and more market share if their price point was about 1/10 to 1/100 what it is today.

  • Dumky - what SSO solution at perl.org? Do you have a specific URL? I looked but couldn't find anything.





    Thanks.

  • News on slashdot today, the Messenger IM now introduces licensing.

    Well that certainly doesn't help customers either, but buisness is buisness I guess...

Comments have been disabled for this content.