Additional Layers of Security

Some sites may want or require extra security measures to be put into place to further protect account information. .NET Passport can be used with Secure Sockets Layer (SSL), which encrypts Web-related traffic between the client and the site. This protects against a hacker capturing and deciphering traffic between the user and the site.

Another security mechanism that can be utilized is to require users to enter a separate credential before signing in with their email addresses and passwords. This additional security mechanism is a security key and is similar to a personal identification number (PIN) that you use at an ATM.

When a user attempts to sign into a participating site that requires a security key, he will be directed to the .NET Passport registration page. The user will need to enter a four-character security key and then select and answer a minimum of three questions. These questions, called secret questions, will help to validate the user in case the user forgets the secret key. The secret key cannot be set to log on automatically, nor can it be stored on the user's computer.

.NET Passport Authentication

.NET Passport authentication begins when a user requests or is directed to the .NET Passport sign-in page. The user's email address and password are verified against an entry in the .NET Passport database. After the user is authenticated, the .NET Passport PUID and .NET Passport profile information for that user are loaded.

The .NET Passport PUID and profile are used to create the following .NET Passport cookies:

• Ticket cookie Contains the PUID and time stamp

• Profile cookie Contains .NET Passport profile information

• Participating site cookie Contains the list of sites that a user has signed into

As described earlier, in "Installing and Configuring .NET Passports," a site must register itself, adhere to Microsoft's privacy policies, and more before being able to obtain a .NET Passport user's authentication information. It is important to note that a user's email address and password are not shared with a participating site. A site receives user authentication information from the .NET Passport system using the encryption key provided by Microsoft. The encryption key is also used to encrypt the ticket and profile cookies and then returns the information to the return URL provided in the authentication request. Internet Explorer (IE) on the client machine then creates the three .NET Passport cookies.

At this point, the browser redirects the user to the participating site and the Ticket and Profile cookies are sent to the participating site. The participating site's Passport Manager Administration utility manages cookie information, and the participating site can store or upgrade user information.

.NET Passport Cookies

Any time a user signs out or the browser is closed, the .NET Passport system runs a script to delete all three temporary cookies from the participating site. This prevents others from using the cookies and potentially compromising security. If the user does not sign out or close the browser, the .NET Passport cookies will expire after a specified period of time controlled by the .NET Passport system or the participating site.

Although the .NET Passport system authenticates users, participating sites can use the encrypted .NET Passport Ticket and Profile data to generate the site's own cookies in its own domain for that user. These newly created cookies are placed on the user's machine and can be used only on the specific participating site. Participating sites can use this feature to personalize the user's experience while visiting their sites. For example, a user's profile and preferences can be stored on her machine so that the next time she connects to the participating site, the Web site's content is personalized for that particular user.

Securing Communications

As mentioned earlier, a secure channel can be established when a user connects to the .NET Passport sign-in page. When the connection is established using SSL, a user can sign in securely.

.NET Passport supports either Windows Server 2003 version of SSL or a third-party SSL certificate provider. The version of SSL bundled within Windows Server 2003 is a more efficient and faster implementation than previous versions of SSL. However, SSL is a processor-intensive process that can impede performance for higher-capacity Web sites. For this reason, you should consider using high-performance network interface cards (NICs) that also have the capability to offload SSL processing from the system processor(s). Doing so can significantly boost Web site response and performance.

Most users may not even be aware of the fact that SSL is being used to provide a secure communications channel by encrypting traffic between the users' machines and the participating Web sites. SSL implementation is transparent, and it does not affect how users sign into the site.