Microsoft .NET Passport Must Set Security Bar Higher

Microsoft agrees to improve .NET Passport security

Although in the past Microsoft lambasted open-source projects as inherently insecure, the company has chosen to embrace the idea of open source by using the Kerberos protocol—again. According to, Microsoft will marry its technology with Kerberos technology to make its next generation of .NET Passport more secure and somewhat open-source.

The last time Microsoft began to use Kerberos technology, in conjunction Windows 2000, critics screamed because Microsoft had apparently inserted undocumented modifications into the technology. Twisting open-source code into proprietary technology through undocumented changes is a definite no-no. Now, however, Microsoft is turning to Kerberos to improve .NET Passport security in response to the Federal Trade Commission (FTC) scrutiny that resulted in specific charges.

Microsoft described its .NET Passport, launched in 1999, as "a suite of Web-based services that makes using the Internet and purchasing online easier and faster. .NET Passport provides users with single sign-in (SSI) and fast purchasing capability at a growing number of participating sites, reducing the amount of information users must remember or retype." Many popular shopping sites, including eBay (which recently acquired PayPal), offer .NET Passport as a means to conduct business through their portals.

Because SSI is the core feature of .NET Passport, Kerberos is an obvious choice to use as part of the core methodology of authentication. To learn more about Microsoft's Kerberos implementation, read Jan De Clerq's article "Win.NET Server Kerberos" on our Web site. De Clerq discusses the new Kerberos delegation features that Microsoft has embedded in Windows .NET Server (Win.NET Server) 2003.

According to the FTC, Microsoft made false claims about .NET Passport's security and privacy. Microsoft recently came to an agreement with the commission by which the company will work to mend the problems. Under the agreement, Microsoft will change the way the company communicates with consumers about the security and privacy of the .NET Passport service and change the way Kids Passport works to some extent, as you'll see below.

As Microsoft Senior Vice President and General Counsel Brad Smith noted, "The FTC's complaint asserts that we should have taken additional security steps earlier in the operation of the Passport service." Smith went on to say: "Even though we know of no instance where a Passport user's information has ever been compromised, in hindsight we wish we had held ourselves to an even higher bar."

The FTC's complaints were certainly justified, however. You might recall that in November 2001, I wrote about one researcher who required just 30 minutes to discover that when Hotmail and .NET Passport were combined, an intruder could quickly empty a user's "wallet." On Microsoft's behalf, Smith acknowledged .NET Passport's shortcomings and promised change: "Consistent with our heightened security obligations, we accept responsibility for the past and will focus on living up to this high level of responsibility in the future."

Toward that goal, according to Microsoft Corporate Vice President Brian Arbogast, the company will "document the comprehensive information security program that protects the security, confidentiality, and integrity of the personal information collected from our customers. We will also ensure that a third-party professional firm reviews, advises us, and ultimately certifies that our information-security program is designed and operates with sufficient effectiveness to provide reasonable assurances that the security, confidentiality, and integrity of every Passport user's information is protected. We will also ensure that all of the statements we make about the service are accurate and clear. Finally, we will strengthen training for all the managers involved with Passport, to ensure that they understand and comply fully with this order."

The FTC also raised concerns about Kids Passport, particularly noting that children could bypass the controls their parents placed on the technology. Microsoft said that it has taken steps to remedy that situation by making Kids Passport more "kid-proof."

The new agreement with the FTC will be in force for 20 years. To read more about Microsoft's perspective on the agreement, visit the company's Web site. In related news, Microsoft has licensed security technology from RSA Security that will strengthen the authentication mechanisms .NET Passport uses. Be sure to read about that licensing agreement in the related news item in this newsletter.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.