Stamping Passport

Stamping Passport
Mark Burnett, 2005-01-10

Microsoft can save its ailing authentication service, but only by scaling back its expectations on what kinds of accounts Passport is fit to secure.

Online auction house eBay recently announced that it would discontinue support for Microsoft's Passport authentication service, touching off lively discussions on Slashdot and other forums where anti-Microsoft sentiment runs strong. Passport has long been plagued with criticism and concerns over privacy and security, and for those who oppose Passport, this latest move seems to validate those concerns: clearly, they say, no one trusts Microsoft with their information, and that's why Passport failed. But I just don't buy that argument.

I have always had my own concerns about Passport, but I hardly think it deserves the bad name that it has received. It's had occasional security problems, but considering its usage and exposure, it has held up fairly well. And although Microsoft has failed to convince enough Web sites to adopt Passport, with an estimated 200 million users the technology itself has by no means failed.

Originally, Microsoft wanted much more from Passport. They envisioned Passport as a key player in the growing e-commerce marketplace. They wanted everyone to log in to any website using the same username and password, and even make express purchases online with their Passport Wallet. But that was a time when people hardly trusted the Internet itself, and weren't keen on Microsoft or any other single company holding their financial information. Because of these concerns and due to government pressure, Microsoft eventually changed their security and privacy policies and abandoned the Passport Wallet altogether. The world just wasn't ready.

But even with these changes, Passport failed to make a big impact outside of Microsoft. Few web sites implemented the service and those that did often provided it only as an alternative to their own private authentication system. Some said the high costs and complicated implementation requirements made Passport unattractive; others said offering Passport authentication did little to bring them more customers. But almost everyone agreed that in many ways it was a trust issue.

Part of the problem is misconceptions about Passport. If you are concerned about privacy, there really isn't much personal information that Passport stores about you, and there's nothing preventing you from entering bogus data. And although many news articles mention that Passport stores your credit card information and other passwords, those news stories are inaccurate.

Another misconception centers on Passport's security. Admittedly, having a single sign-on mechanism is not much different from using the same username and password on every Web site, something we know is a poor security practice but most everyone does to some extent. Passport is a single point of failure: if someone gets your Messenger password, they also have your Hotmail, MSDN, and your MSN MoneyCentral password. And that could be bad.

Nevertheless, you could argue that having a single potentially insecure point of authentication is better than having a thousand potentially insecure points of authentication. It is also easier to monitor, control, and fix a single point of failure. Even better, it is much easier to implement new and advanced security technologies such as PKI, hardware authentication, or biometrics with a single point of authentication. If Passport gets a new feature, every website that uses Passport gets that feature.

Federal Oversight
Ultimately, it comes down to how much we trust the Passport technology itself to be secure. There have been a couple serious security issues, but considering its 200 million members and widespread usage, that really isn't a bad average.

Of course, it just hasn't been around long enough to be proven secure. And since it is closed source, the code is not available for public scrutiny. But thanks to the federal government, we do know a little about its internal security.

As part of a 2002 settlement with the FTC arising from a Passport security gaffe, Microsoft agreed to some minimum security requirements for the service. In particular, they must:

Establish and maintain a comprehensive written security program that covers administrative, technical, and physical safeguards.
Designate at least one employee to coordinate and be accountable for that security program.
Identify any internal or external security risks and assess the adequacy of the safeguards in place to control these risks.
Design and implement any new safeguards required to control the identified risks.
Obtain a biannual security assessment and report from a qualified, objective, and independent third party.
Evaluate and adjust their security program after any changes to business operations, arrangements, or other circumstances that might affect security.

Furthermore, until the year 2022, Microsoft is required to give a copy of the FTC order to all "current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having managerial responsibilities relating to the subject matter of [the] order."

So we know there is some accountability for their security, and we know that even beyond the FTC order Microsoft has been making a big push for security overall.

Still, the more everyone relies on a single authentication mechanism, the more criminals will target that one mechanism. Passport, or any similar technology, just isn't the best thing for every website, no matter how secure it is. It's useful for customization and non-critical sites, and would make a nice enhancement to the registration or password reset process on third-party sites, but having a single username and password for everything is very much putting all your eggs in one basket.

Managing Expectations
Microsoft should keep Passport, but not as it has been. I recommend the following changes.

Microsoft should understand Passport's place in the world and not try to move it beyond that.
Provide multiple levels of authentication and safety so that users can maintain separate distinct domains within Passport.
Allow users to prevent the use of their Passport account to access certain services, such as Hotmail or MSN Messenger.
Involve the public more with internal Passport security policies, strategies, procedures, and audit reports.

Ultimately, Microsoft cannot guarantee the service is secure for any particular person. They cannot prevent you from being tricked, manipulated, bribed, blackmailed, or forced to reveal your credentials to someone else. They cannot prevent you from logging in at an insecure location, and they don't know if you properly log out when finished. They don't know if you have a lame password or if everyone close to you can instantly guess your password. They can't prevent a separated partner or wayward teenager with your password from accessing your account.

Passport is a convenient service and is plenty secure for many purposes. I wouldn't want my bank to implement it, but I sure wish I could consolidate a hundred other non-critical passwords I currently maintain.

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.