There seems to be no question that the idea behind Microsoft’s new Passport initiative has value as a customer-friendly, timesaving service. But what many IT pros do question is whether this service is secure enough to be viable.
As you may know, the idea behind Passport is to allow Internet users to have a single sign-on for all Web sites that participate in the Microsoft Passport network.
This could be incredibly convenient for end users who chafe at having to authenticate themselves on every site they visit where their usage is tracked or secure transactions are made.
The Passport is a core piece of Microsoft’s .NET strategy, according to CNET in “Microsoft’s Passport: Convenience or security risk?”
CNET’s article points out that Windows 9x and Windows Me users would be transmitting their user names and passwords in plain text during the authentication process for Passport, as they do already during any Internet authentication. For users of NT-based products, including Windows 2000 and Windows XP, the authentication information would be encrypted, but these products are susceptible to hacks that record keystrokes.
While these vulnerabilities already exist, CNET warns that they take on a deeper and darker meaning if merchants adopt the Microsoft Passport plan. After exploiting these weaknesses, hackers can use the Passport authentication information to get victims’ financial information.
In this Member Debate, we would like to direct you to the discussion that is currently under way at the end of the CNET article. To get you up to speed, here are some of the arguments that have already been posted.
Your passport to a bad idea
On the ever-present Microsoft-bashing side of this argument, members are focused less on the potential of Passport in particular and more on Microsoft’s inability to produce products with a high degree of security as a whole.
Comments such as those by David.irving are common. He writes, “If Microsoft paid any attention to security, to the number of Microsoft systems that have been compromised, and to the comments of security experts, this would not be as serious a problem.
“The major difference between Windows and UNIX is that, these days, UNIX systems can be made reasonably secure. This has happened because the people who’ve built them have addressed all the concerns as they’ve come to light,” David.irving writes.
Several members said that it seems as if Microsoft builds software with security holes in it and then blames network administrators when someone exploits those holes.
Dlancaster writes, “This is something that is entirely in Microsoft’s hands. They can’t blame network admins for failing to patch it properly. If the holes in IIS are the result of sloppy administration, then the holes in Passport must also be the result of sloppy administration. However, in this situation the administration is at the Microsoft end. How can it be anything but Microsoft’s fault?”
Blame the bad guys, not Microsoft
A number of members have come to the aid of Microsoft, saying that people should blame the hackers and not a company that is supporting innovation and development on the Web.
Bashing Microsoft is missing the point of Passport, according to Sven Aelterman. “Instead of foregoing Passport (and .NET, which is really unrelated), we should adopt it and thus be able to exercise pressure on Microsoft to fix any existing security holes,” Aelterman says. “That is the only way we can productively help technology advance.
“Personally, I would very much like to have single sign-in for nonsensitive data. I would like to log on to Windows XP in the morning and, at the same time, be able to check my personal stock quotes, personalized news, maybe personal e-mail, and log on to TechRepublic and a host of other sites that offer personalized features,” Aelterman says.
John Mauli points out that the most important factor in the acceptance of Microsoft’s Passport scheme will be the average end user.
“In regards to convincing other people not to use .NET, focus should be aimed more at financial intermediaries to develop similar functionality but different business models as those applied by Microsoft,” Mauli says.
“Instead of preventing the advancement of technology—especially involving e-commerce—supporting and constructively criticizing it would be a better approach,” Mauli says.
What do you think?
Tell your peers what you think about Microsoft’s Passport. Is this the beginning of something wonderful? Or is it the recipe for disaster? Join the discussion and let us know what you think.