Passport is Microsoft's bid to operate the master password database for every Web site and service. They've got a shot at grabbing a large number of subscribing sites because the current Web authentication solution involves thousands of different password databases to administer and support, and thousands of passwords for a user to remember.
I don't think they can do it right.
- Those Terms of Service are an abomination
- Insufficient paranoia is endemic within MS product groups
- The protocols are closed, resulting in vendor lock-in
- The protocols are closed, resulting in insufficient peer review of what is potentially the most used crypto since DES.
AOL are their only credible current threat. They have a slightly better security record, but the other problems are much the same.
I don't want to trust either of them. We cannot allow Microsoft or AOL to dominate Web-wide authentication.