Stamping Passport

Good in parts

  • alert
  • submit to reddit

The essential guide to IT transformation

Column Online auction house eBay recently announced that it would discontinue support for Microsoft's Passport authentication service, touching off lively discussions on Slashdot and other forums where anti-Microsoft sentiment runs strong. Passport has long been plagued with criticism and concerns over privacy and security, and for those who oppose Passport, this latest move seems to validate those concerns: clearly, they say, no one trusts Microsoft with their information, and that's why Passport failed. But I just don't buy that argument.

I have always had my own concerns about Passport, but I hardly think it deserves the bad name that it has received. It's had occasional security problems, but considering its usage and exposure, it has held up fairly well. And although Microsoft has failed to convince enough websites to adopt Passport, with an estimated 200 million users the technology itself has by no means failed.

Originally, Microsoft wanted much more from Passport. It envisioned Passport as a key player in the growing ecommerce marketplace. It wanted everyone to log in to any website using the same username and password, and even make express purchases online with their Passport Wallet. But that was a time when people hardly trusted the Internet itself, and weren't keen on Microsoft or any other single company holding their financial information. Because of these concerns and due to government pressure, Microsoft eventually changed its security and privacy policies and abandoned the Passport Wallet altogether. The world just wasn't ready.

But even with these changes, Passport failed to make a big impact outside of Microsoft. Few websites implemented the service and those that did often provided it only as an alternative to their own private authentication system. Some said the high costs and complicated implementation requirements made Passport unattractive; others said offering Passport authentication did little to bring them more customers. But almost everyone agreed that in many ways it was a trust issue.

Part of the problem is misconceptions about Passport. If you are concerned about privacy, there really isn't much personal information that Passport stores about you, and there's nothing preventing you from entering bogus data. And although many news articles mention that Passport stores your credit card information and other passwords, those news stories are inaccurate.

Another misconception centers on Passport's security. Admittedly, having a single sign-on mechanism is not much different from using the same username and password on every Web site, something we know is a poor security practice but most everyone does to some extent. Passport is a single point of failure: if someone gets your Messenger password, they also have your Hotmail, MSDN, and your MSN MoneyCentral password. And that could be bad.

Nevertheless, you could argue that having a single potentially insecure point of authentication is better than having a thousand potentially insecure points of authentication. It is also easier to monitor, control, and fix a single point of failure. Even better, it is much easier to implement new and advanced security technologies such as PKI, hardware authentication, or biometrics with a single point of authentication. If Passport gets a new feature, every website that uses Passport gets that feature.

Federal Oversight

Ultimately, it comes down to how much we trust the Passport technology itself to be secure. There have been a couple serious security issues, but considering its two million members and widespread usage, that really isn't a bad average.

Of course, it just hasn't been around long enough to be proven secure. And since it is closed source, the code is not available for public scrutiny. But thanks to the federal government, we do know a little about its internal security.

As part of a 2002 settlement with the FTC arising from a Passport security gaffe, Microsoft agreed to some minimum security requirements for the service. In particular, they must:

  • Establish and maintain a comprehensive written security program that covers administrative, technical, and physical safeguards.
  • Designate at least one employee to coordinate and be accountable for that security program.
  • Identify any internal or external security risks and assess the adequacy of the safeguards in place to control these risks.
  • Design and implement any new safeguards required to control the identified risks.
  • Obtain a biannual security assessment and report from a qualified, objective, and independent third party.
  • Evaluate and adjust their security program after any changes to business operations, arrangements, or other circumstances that might affect security.

Furthermore, until the year 2022, Microsoft is required to give a copy of the FTC order to all "current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of [the] order."

So we know there is some accountability for their security, and we know that even beyond the FTC order Microsoft has been making a big push for security overall.

Still, the more everyone relies on a single authentication mechanism, the more criminals will target that one mechanism. Passport, or any similar technology, just isn't the best thing for every website, no matter how secure it is. It's useful for customization and non-critical sites, and would make a nice enhancement to the registration or password reset process on third-party sites, but having a single username and password for everything is very much putting all your eggs in one basket.

Managing Expectations

Microsoft should keep Passport, but not as it has been. I recommend the following changes.

  • Microsoft should understand Passport's place in the world and not try to move it beyond that.
  • Provide a more consistent and secure login page for every website, because as it is now, it's too easy for a malicious Web operator to fake the Passport login form and harvest credentials.
  • Provide multiple levels of authentication and safety so that users can maintain separate distinct domains within Passport.
  • Allow users to prevent the use of their Passport account to access certain services, such as Hotmail or MSN Messenger.
  • Involve the public more with internal Passport security policies, strategies, procedures, and audit reports.

Ultimately, Microsoft cannot guarantee the service is secure for any particular person. They cannot prevent you from being tricked, manipulated, bribed, blackmailed, or forced to reveal your credentials to someone else. They cannot prevent you from logging in at an insecure location, and they don't know if you properly log out when finished. They don't know if you have a lame password or if everyone close to you can instantly guess your password. They can't prevent a separated partner or wayward teenager with your password from accessing your account.

Passport is a convenient service and is plenty secure for many purposes. I wouldn't want my bank to implement it, but I sure wish I could consolidate a hundred other non-critical passwords I currently maintain.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress).

Related stories

Microsoft revokes Passport service
IBM gives in to call for Liberty services for all
Deutsche Telekom Passport hole exposes 120,000

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?