Security is always a compromise. Make it too tough and people will look for ways to avoid it; make it too simple, and it becomes irrelevant. Solving this dilemma has plagued the industry for many years, and there is still no clear solution in sight. Competing technologies require specific hardware, new business processes and the re-education of users. In addition, many are not yet ready for widespread deployment because of issues such as privacy.
Enter Microsoft, which has been working to develop its Passport product from a simple mail access system into a broader security offering, encompassing the wider Internet and internal corporate IT systems. Microsoft has been keen to promote Passport as a single sign-on mechanism removing the need for users to remember multiple account names and passwords across different websites and services. This has been reasonably well-received by consumers – there can be few users who have just one Internet-based account requiring a username and password.
When people find themselves with multiple accounts, there is a tendency to use the same username and password several times. But once someone knows how you key in your details for access to one account, all your accounts are compromised. There is a greater problem in that the support departments of most Internet service providers, web shops and even online banks can view your password details in clear text.
Few consumers realise just how easily they are compromised daily. Microsoft has been allowing third parties to offer access to a site or service using Passport as the logon mechanism, but the username (known as your Passport ID), your e-mail address and your chosen password are not stored on the service provider’s system, but within Passport. This allows you to use your Passport ID to access any sites participating in the Passport program but retain central control and management of your details. To prove the system’s capabilities, and in line with its policy of practising what it preaches, Microsoft has implemented Passport across Microsoft.com and related sites such as MSN and Hotmail. This is an important opportunity for Microsoft to show that a single sign-on mechanism can be used by a large company.
There are more than 50 different areas on the Microsoft site where customers and partners have needed to log on to access resources. As you would expect, managing this has been a long-term problem and a source of great dissatisfaction for customers and partners alike. By bringing this under the control of Passport, Microsoft has simplified its users’ logon process considerably. However, Microsoft has a broader agenda. In 2000, UK journalist Jon Honeyball was the first to propose a two-tier internet authentication model that would result in free and subscription-based Passport IDs. He also outlined Microsoft’s intention to link Passport and the Windows Active Directory.
The first part of this project, formerly codenamed Hailstorm, is now known as.Net My Services, and the initial code was delivered to developers at Microsoft’s Professional Developer Conference 2001 in Los Angeles. .Net My Services is a set of user-centric web services. It consists of 14 initial services, some of which will be offered free to users while the remainder will be offered by Microsoft and a number of third parties as a set of chargeable premium services. Among the services are My Calendar, My Contacts, My Location, My Profile, My Alerts and My Wallet.
Each user of.Net My Services will require a Passport account, which can be obtained for free. Their Passport User ID (PUID) will be used as the unique identifier for every piece of data stored. Whenever the user’s data needs to be accessed, the PUID will be used to validate the user and allow actions to be carried out on their data. Microsoft believes that other vendors will want to offer their own web services as part of this user-centric focus, and is very keen to discuss a federated approach. This is important to Microsoft if it is to avoid potential lawsuits and successfully open up the initiative to other service designers and providers.
The Kerberos connection
Yet opening up these services and allowing interoperability with other vendor offerings requires a solution that can guarantee security. The result is that Microsoft is planning version 3 of Passport, which will support the Kerberos encryption standard, adopting the IEEE Kerberos 5 protocol. There are still some additional components that Microsoft believes can be added to strengthen Kerberos. The result should be that any service provider can create their own single sign-on mechanism, and as a top-level security provider interact with Passport to allow users to use any validated credentials to access websites.
For.Net My Services to really be deployed, Passport version 3 must be in place before any services go live, meaning Microsoft will need to implement this during the first half of this year. Yet this is only part of the story. The current focus of Passport is as a user-centric, single sign-on mechanism, but Microsoft intends to open it up so that it can be allocated to groups and even small businesses. To do this, Passport must evolve from an e-mail address and password system to an authentication system with its own management tools.
“We’ve introduced a feature into Passport that allows you to create a Passport namespace within the system and manage it,” says Microsoft’s US Passport general manager, Hal Howard. “The administrator can control who gets a user ID in that namespace, the policies around issuing those IDs, and what data is stored about those accounts for purposes such as password reset.” But the most exciting development is the plan to integrate Passport with Active Directory. This will allow corporate administrators to use Passport in two ways. The first is to allow Passport owners to access a corporate website and any related resources. There will also be new fields created in the user account area where any user can have an existing Passport ID stored with their other details, allowing them to access corporate resources from external locations. The second use will be to extend the way that users access external resources by exposing corporate ID as a Passport. When a user accesses a Passport-enabled site, that site will validate the user with their corporate site. This is targeted at organisations which require their users to access resources owned by partners in the supply chain.
Just the ticket
The mechanism for both scenarios meets Microsoft’s federated model well. There will be a number of top-level security providers who will issue Kerberos tickets. For the Active Directory extensions to work, you will need a relationship with one of those providers. Each will have a business agreement likely to require an audit of policies and procedures before the highest level of security is agreed. Microsoft believes that the SAS 70 certification, which is seen as equivalent to ISO 9000, will be used for this purpose.
By using a third-party mechanism such as SAS 70 and having a clear standards and certification process, businesses can handle both consumer and business partner access to their systems. The advantage of this over solutions such as mySAP is that it places the responsibility for revocation of credentials firmly with the corporate body for whom the individual works, as well as allowing for non-repudiation to be used in a transaction. There are other steps that can be taken to strengthen that security process. At present, Microsoft does a poor job of explaining what level of protection is provided by those partners who offer Passport services. Howard accepts the need to publish the criteria that partners must reach before they are certified by Microsoft, as well as the need for regular auditing of those partners through third parties. Again, this is likely to be based on SAS 70. Howard also recognises that to make Passport a corporate choice there is a need to resolve problems such as cached passwords.
“Until six months ago, Passport was focused on consumers and we have been making the shift towards a business as well as a consumer focus,” he says. “There is the provision, even when you have said ‘remember my password’, for the downstream site to not accept a ticket issued from a cached password. The process exists in the program today where you can ask when was the last time they actually entered their credentials. It’s already implemented in the wallet service, and as we get into higher-value services, I expect that feature to be used more heavily.
“For high-end security scenarios, where you want a secondary PIN, there is a feature called SecureKey that is a PIN as a layer on top of the normal username and password, that can only be entered at the time of transaction.
“There is no mechanism built into Passport to remember it. You get prompted for it every time it is used.”
Howard believes there is an opportunity for third parties to enter the security market. “Identity verification will create an opportunity for third-party authentication vendors, primarily with My Services,” he says. “If you have stored an address in the My Profile service, one of the things you may want to add to your address is: has this been certified and by whom? How do I know that this user can receive packages at that address? “Someone can create a service to offer validation that may involve sending me a piece of registered mail of some sort that contains an activation code. Once I’ve signed for that mail and they have the receipt back, I go to the website and enter the activation code. Immediately it’s bound to my address so they can say the address is real because I can receive mail.
“This could go much further, with the very highest level being in-person proofing where I show up in front of some government agency and prove who I am with official documents or whatever is appropriate for that process.”
Although it will take several releases for all the issues to be ironed out, Microsoft’s willingness to adopt a more open use of Kerberos and work with other vendors should accelerate the deployment of wider, more secure, authentication for both businesses and the consumer.
This article originally appeared in Computing.