Privacy and Security Still Challenge Microsoft Passport

Consumer apathy and distrust of the Internet, not underlying technology, pose the biggest hurdles in getting Passport — Microsoft's security authentication service — accepted and widely used.

On 20 September 2001, Microsoft announced plans to expand its Passport authentication service to work with enterprises and network service providers. Passport will deliver universal, single, open sign-in that spans multiple enterprises and services.

Microsoft's decision to change the structure of Passport highlights a well-developed strategy to realize two major business goals:

• Ensure that its Windows operating system (OS) is at both ends of as many Internet transactions as possible
• Create a structure to support revenue growth from Hailstorm, which Microsoft will rename .NET My Services

As the major change in its strategy, Microsoft will move Passport from browser and Web mechanisms for user authentication over the Internet to communications based on Kerberos, an authentication system designed to enable two parties to exchange private information across an otherwise open network. Passport now uses the HTTP and an encrypted cookie to authenticate a user. It supports single sign-on through the user's browser to an enterprise's Web server software. The future Passport will use Kerberos directly from the user's OS to the enterprise's server OS. Since Microsoft's PC and server OSs, starting with Windows 2000, have support for Kerberos built in, by 2002 most PCs will be able to support this capability. However, non-PC devices that don't run Windows OSs will be at a disadvantage unless they add Kerberos support.

A Gartner survey has found that limited consumer interest and a general distrust of the service form the main barrier to Passport's success. Gartner therefore advises enterprises, especially online retailers, to:

• Be aware of consumers' privacy concerns
• Understand the low levels of trust in Internet companies and retailers
• Take note of the strong consumer resistance to using Passport for "one-click" shopping where they need to store financial and credit-card account information

Microsoft has decided that Passport must become part of the open standards that the vendor deems necessary for its acceptance. Microsoft has removed some restrictions in making Passport more open to ensure the success of .NET My Services. Consumers, though, don't care about underlying technologies, so the move will likely not reduce concerns about privacy and security.

Analytical Sources: John Pescatore, Information Security Strategies, David Smith, Internet Strategies, and Avivah Litan, Financial Services Payment Strategies