Passport Problems Show Software-Based Security's Fatal Flaw

Microsoft keeps offering fixes for its troubled Passport authentication service, but the intrinsic flaws of such software-only digital wallets still make them unsuitable for sensitive information.

Microsoft has acknowledged that it shut down part of its Passport Internet authentication system for 48 hours beginning 2 November 2001. Microsoft apparently intended to resolve a security problem related to cross-site scripting that could enable hackers to access users' credit card information.

Passport offers another example of Microsoft releasing software with major security vulnerabilities that it later attempts to solve with patches, "hot fixes" and new releases. This approach may reduce the risk of the original vulnerability but often opens up new security weaknesses. The latest Passport "fix" reduces the user's window of vulnerability from 15 minutes after log-in to 30 seconds, but neither delivers adequate security nor addresses the root cause of the problem. If Microsoft's planned Passport migration from browser-based mechanisms to Kerberos operating system-based authentication takes place, it will eliminate the basis for this weakness by 2003. However, this approach will not help today's Passport users (according to Gartner research, 25 million U.S. consumers have signed up with Passport — though only 7 million know it).

The latest vulnerability also shows that software-only solutions cannot deliver high levels of security for sensitive or otherwise valuable information. Software-only protection may suffice for low-value site registration information — e.g., name, zip code and preferences — but high-value information requires the use of a smart card, hardware token or biometric input. Smart cards provide a major additional benefit besides strong authentication: storage capacity to keep sensitive information offline.

Gartner's research shows that consumers are already wary of Passport-type systems; in a recent study, only 2 million U.S. Passport users reported storing credit card information using the service (see Research Note M-14-5779 "Microsoft Passport: Build It and They Will Haltingly Come"). Enterprises should not encourage their customers — or their employees — to use software-only systems for storage of sensitive information before 2005, when vulnerabilities of Passport and competing systems will be thoroughly exposed and resolved and when smart cards for home PCs will be readily available. All applications developed during this period should support migration to smart cards as soon as feasible, likely after 2005 for consumer applications.

Analytical Sources: John Pescatore, Information Security Strategies, and Avivah Litan, Financial Services Payment Systems

Written by Terry Allan Hicks, gartner.com

Need to know: Reference Material and Recommended Reading

• "Microsoft Passport: Many Registrations, but Few Users” (M-14-4839) Although Microsoft will succeed in building a ubiquitous Passport registry, the company’s ability to earn much revenue from Web services — also known as .NET My Services — is far from certain. By Avivah Litan
• "Liberty Alliance Seeks to Advance Open Identity Systems” (FT-14-5959) For a discussion of another approach to authentication. By David Smith and Daryl Plummer

(You may need to sign in or be a Gartner client to access all of this content.)