If I understand M$ Passport correctly, they have a centralized registry that manages all user authentication. That is obviously not good.
However, it does not have to be this way, it can be a federated system consisting of a number of identity providers, and an even greater number of web sites that accept login authentication from at least some of those providers. For example CPAN forum could have a button in addition to its login box that PerlMonks can just click and they will be logged in using the PerlMonks system. They could have another such button for Slashdotters. This would not create any new "trusted third parties".