Passport Not Winning The Trust Game - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance

Passport Not Winning The Trust Game

Gartner advises its clients to pull the plug on Passport implementations in the wake of a recently discovered security flaw.

Market research group Gartner is advising businesses using Microsoft's Passport authentication service to pull the plug on it. The move is a response to a serious security flaw discovered May 7 that placed at risk the identities of roughly 200 million users of the online single-sign-on user-identity service.

Passport is used by customers to log on to E-commerce sites, E-mail, and instant-messaging accounts. Microsoft says Passport is a critical part of its vision for Web services and E-commerce.

The flaw made it possible for an attacker, knowing little more than the identity name of the targeted user, to hijack the user's Passport account and log in as if he were that user.

It's not clear how many, if any, Passport accounts may have been abused by the longstanding vulnerability.

Gartner is recommending that financial institutions, credit companies, online retailers, and anyone else using Passport for any "meaningful" business purpose immediately either "break all Passport connections" until November, or invest in "an additional, more secure form of authentication for all Passport identities."

Gartner also is warning users to carefully review Microsoft's recommendations for Passport account holders. Microsoft is recommending that Passport users try to log on to their Passport accounts. Those who still can log on probably have not been affected by the flaw. Those who have trouble, however, may have compromised accounts.

While Microsoft says it doesn't have any evidence that accounts have been misused, the company acknowledges a small number of accounts may have been breached.

"We think that the recommendations Gartner makes are not constructive for customers. While we know that we can always do better, we believe we have a solid set of processes and procedures in place to run Passport as a trusted service," a Microsoft spokesman responded in an E-mail.

Gartner's blow may not be the end of the beating Microsoft endures over its Passport gaffe.

Beginning in January, the Federal Trade Commission began requiring Microsoft to "implement and maintain a comprehensive information security program" around Passport services. An FTC spokeswoman would not confirm whether the agency is investigating or considering sanctions against Microsoft for the security flaw. She says, however, that the FTC "routinely investigates compliance with our orders."

Microsoft says it reacted within hours to secure Passport accounts and that the security flaw was fixed within eight hours. The FTC spokeswoman says Microsoft's response to the incident would be taken under consideration as part of any possible investigation.

Microsoft would not comment on the potential of an FTC investigation.

The FTC's complaint from August states that Microsoft exaggerated Passport's security advantages and the degree of anonymity and privacy users of the service enjoyed.

Gartner's report says Microsoft's Passport woes won't bode well for other single-sign-on identity services, "which have not yet succeeded in getting the consumer E-commerce market to accept identity services of this type." Microsoft execs haven't "proven themselves yet, and security is a huge issue for banks. We're advising our clients not to open up unnecessary vulnerabilities related to Passport," says Avivah Litan, VP and research director at Gartner.

But Litan says that in a federated identity architecture (where identities are not centrally managed and maintained), one security flaw would not theoretically compromise all identities within that system. "This probably wouldn't happen under the Liberty architecture," she says.

Gartner says the Passport vulnerability will delay strong demand for such identity services until the end of 2004. The market research firm recommends that Microsoft submit its Passport code for open-source review as a way of regaining trust.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll