Microsoft Revamps Passport

Amid ongoing criticism and challenges from privacy groups, Microsoft is close to issuing a new Passport, the authentication system that is at the center of its Internet initiative .Net.

Microsoft expects to release in August Passport 2.0, an update to the single sign-on authentication service.

Passport lets subscribers store basic information about themselves, such as an e-mail address or ZIP code. Then, subscribers can log on to Web sites that support Passport and make purchases without having to re-enter their personal information. MSN and other Microsoft properties and partners already support Passport.

"It will be posting to the Web very soon," says Tonya Klause, a Microsoft spokesperson.

The new release comes as privacy and consumer groups intensify their protest against Passport. They charge Microsoft with insufficiently protecting the privacy of consumers who use the service. A coalition of privacy advocacy groups has asked the Federal Trade Commission to investigate Passport and its use in the upcoming Windows XP operating system.

Boosting Security

Microsoft is working to provide a greater level of privacy and security in future releases of the authentication service, including Passport 2.0, says Keith Brown, an engineer with DevelopMentor and columnist for Microsoft's MSDN developers Web site. Brown spoke about Passport Wednesday at DevelopMentor's Conference.Net meetings in San Francisco.

Microsoft has already promised to strengthen Passport's privacy functions. Less customer information will be required, and stronger encryption added in Passport 2.0.

A subsequent release will further enhance privacy and security, say Brown and other engineers working closely with Microsoft's Hailstorm technology, the Web services that require use of Passport. Brown says a future version of Passport will implement Kerberos, a security technology standard developed at MIT. The technology is widely used in government applications, and is implemented in Windows 2000.

Microsoft representative Klause calls Kerberos support "an option," along with other authentication technology such as smart cards, biometrics, and digital certificates.

Kerberos will become the key technology to securely authenticate Passport subscribers who access Web-based services, such as those included in Hailstorm, says David Chappell, a technical consultant who authored a white paper on Hailstorm for Microsoft.

Challenges Continue

Some privacy advocates have said Microsoft's recent revisions do not go far enough. But Kerberos would be a welcome addition, says Richard Smith, chief technology officer of the Privacy Foundation, an advocacy group involved with the FTC complaint.

"Kerberos is a very good step in the right direction for providing security, which is not privacy necessarily," Smith says. "It should address a lot of the problems that Passport has from a security standpoint."

AOL Time Warner is developing an alternative single sign-on authentication called "Magic Carpet," designed to let AOL members easily sign on to member Web sites. Although the project is in stealth mode, an AOL engineer attending Conference.Net says Magic Carpet is an extension of AOL's Screen Name Service.

"Competition would actually help Passport succeed," Chappell says.

Engineers attending Conference.Net are expressing interest in adopting Passport and other Hailstorm services, despite questions about security and privacy.

"There is a big need for this," says an engineer from The Goldman Sachs Group, who asked to remain unnamed. "There is a huge market for this in financial services." Goldman Sachs has built its own authentication system to support online services, but the engineer says it doesn't satisfy all of the company's needs.

Passport is likely to continue to present challenges, says DevelopMentor's Brown. Adding Kerberos and other encryption technologies doesn't address some simpler issues. For example, someone could build a Web site with a false Passport sign-on logo and dupe customers into entering their logons and passwords, Brown says.

"We kind of have to ask ourselves, is the Internet ready for this?" he says.