Passport Not Winning The Trust Game

Gartner advises its clients to pull the plug on Passport implementations in the wake of a recently discovered security flaw.
Market research group Gartner is advising businesses using Microsoft's Passport authentication service to pull the plug on it. The move is a response to a serious security flaw discovered May 7 that placed at risk the identities of roughly 200 million users of the online single-sign-on user-identity service.

Passport is used by customers to log on to E-commerce sites, E-mail, and instant-messaging accounts. Microsoft says Passport is a critical part of its vision for Web services and E-commerce.

The flaw made it possible for an attacker, knowing little more than the identity name of the targeted user, to hijack the user's Passport account and log in as if he were that user.

It's not clear how many, if any, Passport accounts may have been abused by the longstanding vulnerability.

Gartner is recommending that financial institutions, credit companies, online retailers, and anyone else using Passport for any "meaningful" business purpose immediately either "break all Passport connections" until November, or invest in "an additional, more secure form of authentication for all Passport identities."

Gartner also is warning users to carefully review Microsoft's recommendations for Passport account holders. Microsoft is recommending that Passport users try to log on to their Passport accounts. Those who still can log on probably have not been affected by the flaw. Those who have trouble, however, may have compromised accounts.

While Microsoft says it doesn't have any evidence that accounts have been misused, the company acknowledges a small number of accounts may have been breached.

"We think that the recommendations Gartner makes are not constructive for customers. While we know that we can always do better, we believe we have a solid set of processes and procedures in place to run Passport as a trusted service," a Microsoft spokesman responded in an E-mail.

Gartner's blow may not be the end of the beating Microsoft endures over its Passport gaffe.

Beginning in January, the Federal Trade Commission began requiring Microsoft to "implement and maintain a comprehensive information security program" around Passport services. An FTC spokeswoman would not confirm whether the agency is investigating or considering sanctions against Microsoft for the security flaw. She says, however, that the FTC "routinely investigates compliance with our orders."

Microsoft says it reacted within hours to secure Passport accounts and that the security flaw was fixed within eight hours. The FTC spokeswoman says Microsoft's response to the incident would be taken under consideration as part of any possible investigation.

Microsoft would not comment on the potential of an FTC investigation.

The FTC's complaint from August states that Microsoft exaggerated Passport's security advantages and the degree of anonymity and privacy users of the service enjoyed.

Gartner's report says Microsoft's Passport woes won't bode well for other single-sign-on identity services, "which have not yet succeeded in getting the consumer E-commerce market to accept identity services of this type." Microsoft execs haven't "proven themselves yet, and security is a huge issue for banks. We're advising our clients not to open up unnecessary vulnerabilities related to Passport," says Avivah Litan, VP and research director at Gartner.

But Litan says that in a federated identity architecture (where identities are not centrally managed and maintained), one security flaw would not theoretically compromise all identities within that system. "This probably wouldn't happen under the Liberty architecture," she says.

Gartner says the Passport vulnerability will delay strong demand for such identity services until the end of 2004. The market research firm recommends that Microsoft submit its Passport code for open-source review as a way of regaining trust.