3.4 Microsoft s .NET passport

As of this writing, it is safe and fair to say that Passport is under siege ”and that its reputation as a secure, widely accepted single sign-on scheme is severely tarnished. As a single sign-on mechanism, Passport literally holds the keys to Web security. If the Passport service, which is run by Microsoft, is infiltrated and compromised, a hacker, in effect, gets an open sesame pass to roam the Web at will masquerading as another ”to see what information, services, and even goods can be hijacked using preapproved validations activated by the single sign-on scheme.

Microsoft s .NET Passport home page is shown in Figure 3.14, which highlights the fact that it is a free service with Microsoft s proud claim that one can Use one name and password to sign in to all .NET Passport-participating sites and services.

Figure 3.14: Microsoft s .NET Passport home page at www.passport.net, which talks about the free, single sign-on service, as well as the powerful security features that are there to protect one s profile information.

Passport violations can obviously result in e-commerce disruption, as well as identity theft. Credit card information could be at risk ”though Microsoft now no longer offers the Passport Wallet service that maintained credit card and user information as a part of the overall Passport initiative. The Passport Wallet, with all those ready-to-use credit card numbers and expiration dates, was always an irresistible temptation to hackers. Thus, it was not surprising that a major flaw in Passport Wallet was exposed in late 2001. This flaw was so significant that Microsoft had no choice but to temporarily suspend the Wallet functionality. The Wallet capability is now no more. Rather than risk further exposures, and possible financial liability, Microsoft has totally withdrawn it. Today what remains of Passport is just the single sign-on capability, with the option to store some personal information so that one can receive personalized service at those sites that recognize and accept the information passed on by Passport.

Even without Wallet, Passport, when compromised, provides unscrupulous individuals with enormous amounts of unauthorized logon and service activation capability ” especially with portals that will react and activate personalized services based on the personal information (i.e., cookies) passed on by Passport ”enough to disrupt , if not severely damage, global trade. It could destabilize all aspects of e-business and e-commerce. Consequently, the U.S. Federal Trade Commission (FTC) felt obliged, quite rightly so, to intervene and check out Passport s security claims at the beginning of 2002, alleging that Microsoft made false security and privacy promises vis--vis the integrity of Passport!

On August 8, 2002, Microsoft entered into settlement with the FTC. The first paragraph of the FTC Press Release, which was entitled Microsoft Settles FTC Charges Alleging False Security and Privacy Promises, reads as follows : Microsoft Corporation has agreed to settle Federal Trade Commission charges regarding the privacy and security of personal information collected from consumers through its Passport Web services. As part of the settlement, Microsoft will implement a comprehensive information security program for Passport and similar services.

This press release then went on to categorize the areas where it felt that Microsoft had misrepresented what Passport did or did not do. This part of the press release, which can be found in its entirety at http://www.ftc.gov, reads as follows and is scathing to say the least:

According to the Commission s complaint, Microsoft falsely represented that:

It employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers personal information collected through its Passport and Passport Wallet services, including credit card numbers and billing information stored in Passport Wallet.
Purchases made with Passport Wallet are generally safer or more secure than purchases made at the same site without Passport Wallet, when, in fact, most consumers received identical security at those sites regardless of whether they used Passport Wallet to complete their transactions.
Passport did not collect any personally identifiable information other than that described in its privacy policy, when, in fact, Passport collected and held, for a limited time, a personally identifiable sign-in history for each user.
The Kids Passport program provided parents control over what information participating Web sites could collect from their children.

Microsoft s settlement with the FTC hinged on its pledge to do a better job protecting the information contained in Passport, as well as the submission of audits pertaining to the safety of Passport every 2 years for the next 2 decades. Microsoft faced $11,000 per violation fines , where each Passport account put at risk could be counted as a violation ”and to this end it is worth remembering that Microsoft claims that there are more than 200 million active Passport accounts.

Since this landmark settlement, Microsoft has been forced to admit to two more serious vulnerabilities in Passport. The die has been cast. At the time of this writing, the FTC has yet to respond to these breaches. There is a possibility that the FTC could bring pressure upon Microsoft to close down Passport.

This, alas, is the somber background against which Passport needs to be discussed and evaluated. Microsoft launched Passport on October 11, 1999, as a means of streamlining commerce and communications on the Web. As such, Passport predates Web services per se by nearly a year when one takes into account that Microsoft, IBM, and Ariba did not get around to formalizing WSDL and UDDI until September 2000. To be fair, there was, and still is, a need for single sign-on and even digital wallets. E-commerce is not possible without explicit user identification and payment information (e.g., credit card number). Most portals, even public portals (e.g., Excite and MSN), now prefer users to log on (albeit even by using a cookie) so that they can enjoy a personalized service. This means that an active Web user is forced to maintain umpteen user IDs and corresponding passwords. This was the problem that Passport was going to solve.

Single sign-on has always been a double-edged sword. If you do not provide a single sign-on (or equivalent), users are forced to compromise security by either writing down all of their user IDs/passwords (where this list could be found by others) or to using simple (i.e., easy to guess) permutations . Single sign-on attempts to obviate this by enforcing stricter and tighter authentication ”but only by doing this once. The problem here is that if the single sign-on is compromised, a hacker gets access not just to one application or service ”but to a whole bunch of them. This is why many IT professionals have agonized over the years about the desirability of offering single sign-on.

Passport, with its security vulnerabilities, unfortunately shows single sign-on in its worst possible light. This said, it is important to remember that there is nothing that ties Passport with Web services ”even Web services provided by Microsoft. Passport is but an optional user authentication scheme. Yes, Microsoft, at least in the early days, tried to continually intertwine Web services and Passport. This was marketing. There are, as discussed in Chapter 1, Web services “specific security standards now being formulated. There is also the multivendor Liberty Alliance project. Down the road, one has to believe that Passport is unlikely to be an industry-standard security scheme that is in any way endorsed as a preferred way to authenticate Web services users, whether consumers or providers.