Market research group Gartner is advising businesses that use the Microsoft Passport authentication service to stop implementing the technology. This advisory is the second from the company in recent months to suggest people drop a Microsoft product; last year, Gartner advised companies to stop using the Microsoft IIS Web server. As with the IIS incident, a security vulnerability is the catalyst for the new advisory, and now, as then, Gartner is out of line.
Passport, you might recall, is a Microsoft service that lets users create one logon for Web sites, Instant Messaging (IM), e-commerce, and other online activities. The company is converting Passport to a Web services model and will soon release a federated trust server that will help Windows-based enterprises link internal user authentication to Passport accounts on the Internet. Microsoft claims hundreds of millions of Passport users, but most of those users are really Hotmail accounts (Hotmail requires a Passport account).
Last week, Microsoft fixed a major Passport vulnerability that could have let attackers usurp control of user accounts. And this vulnerability is the reason for Gartner's recommendation that companies--specifically financial institutions, credit companies, e-commerce sites, and anyone else using Passport for "meaningful business purposes"--immediately drop Passport and wait for the November release of a Passport update, which will feature more secure authentication technologies. The parallels to Gartner's IIS advice are staggering: Gartner advised companies to immediately drop IIS until Microsoft released a more secure version (Internet Information Services--IIS--6.0, part of Windows Server 2003). In both instances, Gartner offers absolutely no usable advice about what companies can do in the meantime. In other words, Gartner identifies a problem but doesn't offer a real solution.
"We think that the recommendations Gartner makes are not constructive for customers," a Microsoft spokesperson said. "While we know that we can always do better, we believe we have a solid set of processes and procedures in place to run Passport as a trusted service."