Security

Cheat Sheet: Microsoft Passport

Is Microsoft plumbing new depths of unpopularity or is its controversial single sign-on application just misunderstood?

What is it then?
Passport is the centrepiece of Microsoft's .NET initiative, which is all about web services. You'll probably have experienced it in its current guise as the authentication engine for Hotmail. Basically it is supposed to be a secure door into a huge range of different web services.

"Web services" - you've said that twice now. What does it mean?
Come on, where have you been for the last year? It's what everyone who's anyone is saying is going to save the industry from the current recession. Essentially it's an umbrella term for ways to intelligently link up websites, so they can start providing you with, intelligent, helpful services. For example if you book a holiday on ebookers, it can check your calendar, and cancel that reservation you made for the same week at the theatre automatically.

Intelligent services? As opposed to the ones we have now?
You're getting there.

Sounds great. So what's the fuss about?
Privacy and security, dummy. There are three schools of thought arguing against it: One is against Microsoft on principal, and doesn't want Bill Gates getting anywhere near its personal data (these people would probably be against Microsoft finding a cure for cancer). The second is against the idea of a single sign-on point for ecommerce in principal, whoever's doing it. The third raises some very real questions about Microsoft's past record on security, and questions whether it has the ability to design really secure software.

Hang on. What's this about single sign-on?
These are architectures whereby you only have to validate yourself once, to get access to a whole range of services. Critics say this is unnecessarily risky, giving a huge target for hackers who can gain access to masses of information from just one point.

So are all my personal details going to be held by Microsoft?
Not necessarily. At first it looked like all the data would be held in big server farms in Redmond, but recently the software behemoth has softened its stance, adopting a 'federated' approach, whereby many companies will hold their own data.

Still, Microsoft does have a patchy record on security?
You'll be hard pressed to find anyone to disagree with you there. Just in the last few months we've had the problems with IIS, the infection of its own servers with Code Red, holes found in Internet Explorer and Hotmail, and a constant stream of patches and updates to fix bugs. Last weekend a hole was discovered in MyWallet, the part of Passport that holds, er..., your credit card details.

So should I use passport for my sensitive data?
Probably not right now. Even Microsoft admits it's not yet ready to authenticate for applications like online banking. However, it's harder and harder to avoid - Microsoft has deals with lastminute.com, Egg, Expedia, QXL ricardo to name but a few.

So what does Microsoft say about this?
It says single sign-on is the safest security architecture, because it stops people signing up to multiple accounts with the same password - a gift to hackers. It does admit it's got a battle in terms of public perception - but insists it's up to the job, security-wise.

...And the conspiracy theorists?
Microsoft will control everyone's identity. By 2010 nobody will be able to cross physical borders without a Microsoft-controlled 'Passport' ID produced with a virtual monopoly in cahoots with governments across the globe. Gates will be more powerful than governments, holding them to ransom for the gift of electronic (and therefore physical) identity.

For a complete list of Cheat Sheets type 'CS1' into the silicon.com Search

Links:
http://www.passport.com/Business/Default.asp?lc=1033
http://www.projectliberty.org/
http://alive.znep.com/~marcs/passport/

Editor's Picks