Microsoft’s .NET Passport, one of the largest online authentication services in operation, has more than 200 million active accounts and handles more than 4 billion authentications per month, Adam Sohn, product manager for the Platform Strategy Group at Microsoft, told TechNewsWorld.
As a whole, Microsoft’s .NET Passport service is a collection of Internet-based technologies designed to make accessing e-commerce Web sites easier, faster and, in theory, more secure. In addition, Microsoft has constructed the Passport service to make it relatively easy for developers to build in Passport authentication to XML Web services.
However, critics have faulted Microsoft’s centralized identification model as being fraught with security risks, largely because all user data is stored in one place. In light of these risks, alternative services — like the federated identity-authentication system developed by the Liberty Alliance Group — could pose a threat to Microsoft’s ability to expand its .NET user base.
“This should not be viewed as Microsoft versus anybody else,” Andrew Eliopoulos, senior director of network identity at Sun Microsystems, told TechNewsWorld. A key player in the Liberty Alliance Group, Sun Microsystems has said that users will not be caught in a competition between opposing business models. “It is not an either-or confrontation,” said Eliopoulos. “The marketplace is so large it will tolerate both the federated and the centralized concepts.”
Microsoft built its Passport network around the concept of single sign-in capability. Rather than having to remember multiple user names and passwords for every Web site, Passport users open a single Passport account that they then can use to access any password-controlled site that accepts Microsoft’s Passport.
The growing number of participating companies that use Passport technology includes Nasdaq, McAfee, Expedia, eBay, Groove and Starbucks. “Consumers will find increased convenience by using Passport,” said Sohn. But detractors worry about security threats and potential abuses that could result from Microsoft’s sole control of the Passport database. Of even greater concern to some is the potential for identity theft if the Passport servers are compromised.
Those concerns are justified, analysts have said, especially in light of past incidents in which hackers have compromised the Passport servers. Inherent in Microsoft’s centralized model is the risk of exposing confidential records.
“The fear now is about what Microsoft is doing with all the user information it collects,” said Patrick Morley, CEO of Imprivata, a developer of authentication software. But other analysts, while admitting that such criticism of Microsoft was valid when Passport was first introduced, said Microsoft now has more of a problem with its business reputation than with its security holes.
“Those security concerns are somewhat cleared up; it’s more of a trust issue now,” said Ted Dinsmore, president of Conchango, a New York-based IT management consultancy and solutions company. “The … issue now is how Microsoft deals with security.”
Microsoft’s Sohn said the company realizes that network security constantly evolves. He pointed out that the company will continue to respond to security concerns involving Passport.
“We commit a huge amount of time and resources to securing the Passport service,” he said. “We [plan to] take stronger and more significant steps to keep our security technology and practices at the cutting edge.”
According to Sohn, Passport technology undergoes continuous testing and is the focus of an ongoing program designed to improve the associated reliability and security issues.
“We realize that security is a journey [and] that you are never done with that work, and we feel we have the research and development, training, operational excellence and — in the case of any issues that might arise — a best-of-breed response process in the form of the Microsoft security response center to continue to provide a great, reliable, robust service to our customers,” he concluded.
As an alternative to Microsoft’s centralized authentication system, the Liberty Alliance Group has proposed a model for federated — or distributed — identity authentication. The group, headed by Sun Microsystems, is an industry consortium of more than 160 technology organizations that include BEA, RSA and VeriSign.[*correction]
Liberty Alliance has developed an open and available set of specifications and business guidelines enabling identity federation and supporting identity-based Web services. IBM and Microsoft have developed a draft specification — called WS-Federation — that enables some of the same capabilities that Liberty’s standard addresses.
With Passport, Microsoft owns the identity of the user, and every user conducts transactions through Microsoft’s identity-management system. That difference is critical, according to Ian Hameroff, security strategist at Computer Associates. In contrast to Microsoft’s centralized system, the federated system sends only bits and pieces of a user’s entire stored profile. “The authentication process doesn’t trust a single entity,” he said.
Impravita’s Morley said that despite the established Passport user base, many others are adopting services that do not require a centralized repository of data. “The general theme we see is people are pretty focused on the federated model,” he said. “Most companies want to be able to have secure logons without risking all their data.”
What Lies Ahead
Hameroff and others in the network-security field see Microsoft eventually working with sponsors of federated authentication systems. “There is no one silver bullet,” he said. “Consumers will eventually be dealing with Web sites that use both methods of user identification.”
Microsoft’s Sohn doesn’t argue that point. He said Microsoft believes Passport and Liberty can both thrive. “Remember that Passport is an operational service,” he said. “We are live today; Liberty is a specification on top of which vendors might build products or services.”
He added that Microsoft’s security road map could work well with Liberty systems. “We’re hopeful that we will be able to work with the Alliance so that they can take advantage of this key infrastructure.” Still, Sohn cautions, Microsoft will remain the driving point in single sign-on services, making room for alternative offerings to join its centralized community.
*Editor’s Correction Note: We incorrectly identified Microsoft and IBM as members of the Liberty Alliance. In addition, we incorrectly suggested that the Liberty Alliance had developed the WS-Federation specification, which is a draft spec initially proposed by Microsoft and IBM. We apologize for the error.