Stamping Passport

Good in parts

Column Online auction house eBay recently announced that it would discontinue support for Microsoft's Passport authentication service, touching off lively discussions on Slashdot and other forums where anti-Microsoft sentiment runs strong. Passport has long been plagued with criticism and concerns over privacy and security, and for those who oppose Passport, this latest move seems to validate those concerns: clearly, they say, no one trusts Microsoft with their information, and that's why Passport failed. But I just don't buy that argument.

I have always had my own concerns about Passport, but I hardly think it deserves the bad name that it has received. It's had occasional security problems, but considering its usage and exposure, it has held up fairly well. And although Microsoft has failed to convince enough websites to adopt Passport, with an estimated 200 million users the technology itself has by no means failed.

Originally, Microsoft wanted much more from Passport. It envisioned Passport as a key player in the growing ecommerce marketplace. It wanted everyone to log in to any website using the same username and password, and even make express purchases online with their Passport Wallet. But that was a time when people hardly trusted the Internet itself, and weren't keen on Microsoft or any other single company holding their financial information. Because of these concerns and due to government pressure, Microsoft eventually changed its security and privacy policies and abandoned the Passport Wallet altogether. The world just wasn't ready.

But even with these changes, Passport failed to make a big impact outside of Microsoft. Few websites implemented the service and those that did often provided it only as an alternative to their own private authentication system. Some said the high costs and complicated implementation requirements made Passport unattractive; others said offering Passport authentication did little to bring them more customers. But almost everyone agreed that in many ways it was a trust issue.

Part of the problem is misconceptions about Passport. If you are concerned about privacy, there really isn't much personal information that Passport stores about you, and there's nothing preventing you from entering bogus data. And although many news articles mention that Passport stores your credit card information and other passwords, those news stories are inaccurate.

Another misconception centers on Passport's security. Admittedly, having a single sign-on mechanism is not much different from using the same username and password on every Web site, something we know is a poor security practice but most everyone does to some extent. Passport is a single point of failure: if someone gets your Messenger password, they also have your Hotmail, MSDN, and your MSN MoneyCentral password. And that could be bad.

Nevertheless, you could argue that having a single potentially insecure point of authentication is better than having a thousand potentially insecure points of authentication. It is also easier to monitor, control, and fix a single point of failure. Even better, it is much easier to implement new and advanced security technologies such as PKI, hardware authentication, or biometrics with a single point of authentication. If Passport gets a new feature, every website that uses Passport gets that feature.

Federal Oversight

Ultimately, it comes down to how much we trust the Passport technology itself to be secure. There have been a couple serious security issues, but considering its two million members and widespread usage, that really isn't a bad average.

Of course, it just hasn't been around long enough to be proven secure. And since it is closed source, the code is not available for public scrutiny. But thanks to the federal government, we do know a little about its internal security.

As part of a 2002 settlement with the FTC arising from a Passport security gaffe, Microsoft agreed to some minimum security requirements for the service. In particular, they must:

  • Establish and maintain a comprehensive written security program that covers administrative, technical, and physical safeguards.
  • Designate at least one employee to coordinate and be accountable for that security program.
  • Identify any internal or external security risks and assess the adequacy of the safeguards in place to control these risks.
  • Design and implement any new safeguards required to control the identified risks.
  • Obtain a biannual security assessment and report from a qualified, objective, and independent third party.
  • Evaluate and adjust their security program after any changes to business operations, arrangements, or other circumstances that might affect security.

Furthermore, until the year 2022, Microsoft is required to give a copy of the FTC order to all "current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of [the] order."

So we know there is some accountability for their security, and we know that even beyond the FTC order Microsoft has been making a big push for security overall.

Still, the more everyone relies on a single authentication mechanism, the more criminals will target that one mechanism. Passport, or any similar technology, just isn't the best thing for every website, no matter how secure it is. It's useful for customization and non-critical sites, and would make a nice enhancement to the registration or password reset process on third-party sites, but having a single username and password for everything is very much putting all your eggs in one basket.

Managing Expectations

Microsoft should keep Passport, but not as it has been. I recommend the following changes.

  • Microsoft should understand Passport's place in the world and not try to move it beyond that.
  • Provide a more consistent and secure login page for every website, because as it is now, it's too easy for a malicious Web operator to fake the Passport login form and harvest credentials.
  • Provide multiple levels of authentication and safety so that users can maintain separate distinct domains within Passport.
  • Allow users to prevent the use of their Passport account to access certain services, such as Hotmail or MSN Messenger.
  • Involve the public more with internal Passport security policies, strategies, procedures, and audit reports.

Ultimately, Microsoft cannot guarantee the service is secure for any particular person. They cannot prevent you from being tricked, manipulated, bribed, blackmailed, or forced to reveal your credentials to someone else. They cannot prevent you from logging in at an insecure location, and they don't know if you properly log out when finished. They don't know if you have a lame password or if everyone close to you can instantly guess your password. They can't prevent a separated partner or wayward teenager with your password from accessing your account.

Passport is a convenient service and is plenty secure for many purposes. I wouldn't want my bank to implement it, but I sure wish I could consolidate a hundred other non-critical passwords I currently maintain.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent security consultant and author who specializes in securing Windows-based servers. He is co-author of the best-selling book Stealing the Network (Syngress), and has also co-authored or contributed to several other books, including Special OPS: Host and Network Security for Microsoft, UNIX, and Oracle (Syngress); Maximum Windows Security (SAMS); and Dr. Tom Shinder's ISA Server and Beyond (Syngress).

Related stories

Microsoft revokes Passport service
IBM gives in to call for Liberty services for all
Deutsche Telekom Passport hole exposes 120,000

Sponsored: Today’s most dangerous security threats