Microsoft increases Passport security

NEWS Microsoft began notifying Passport users on Monday night of changes that would give them more control over their accounts and increased privacy and security. The changes could eliminate two of the biggest customer gripes against Passport: That users can create accounts using bogus email addresses and that users cannot easily cancel accounts they no longer wish to keep. "Microsoft is just trying to clean up stuff," said independent security analyst Richard Smith. "They're fixing some problems here in what is a natural evolution of Passport." The Redmond, Washington-based software giant will begin making the account changes immediately but expects it to take several weeks before all Passport holders will have access to the new features. Like competing technology being developed by Sun Microsystems-sponsored Liberty Alliance, Passport is a single ID mechanism that can be used to access multiple Web sites, thus eliminating the need for users to remember many different IDs or passwords. Microsoft acquired the technology for Passport when it bought Firefly Network in April 1998. Although Microsoft shuttered Firefly in August 1999, many Firefly developers remained at Microsoft to work on Passport. Microsoft officially launched the authentication service in March 1999, later requiring its use in MSN Messenger and other Microsoft products. Microsoft uses Passport authentication for its MSN Messenger and Hotmail email services, Microsoft Developer Network (MSDN) online access and Microsoft Reader e-book purchases, among other product and service offerings. The authentication service also is a cornerstone for .Net, Microsoft's slowly evolving Web services strategy. Third parties, such as eBay and Starbucks, also use Passport authentication for delivering services. Microsoft has been working on the Passport changes for some time. "This process started a year ago, and we are going to begin rolling out service updates to Passport," said Adam Sohn, Microsoft's product manager for the .Net Platform Strategy. "It's a regular update to the service." Passport renewed
The first change only affects new account holders, who will no longer be able use a bogus email address to establish a Passport. Microsoft requires consumers to use an email address as their Passport ID, but had not mandated that the address be legitimate or belong to the account holder. Consumers signing up for new Passports will now receive an email that requires them to validate receipt of the message to permanently establish the account. "The owner of the inbox that email address belongs to can either verify that account or say, 'Hey wait a minute, someone's trying to hijack my email address,' and stop it," Sohn said. "You have a short grace period in which to verify your account." Initially that would be four days or five logins. But Microsoft could adjust the grace period, depending on user feedback. The second change could bolster Passport security. Microsoft is moving all the information viewed in a Web browser, such as the login page or member services, to servers hosted in a domain separate from the authentication components. That information would come from passport.net rather than passport.com. The two-domain mechanism also will eliminate the long, hard-to-decipher URL the user sees in the browser's Web address bar. "This enables two things," Sohn said. "No. 1, users will very easily see that URL, know that they're at the right site and that someone is not trying to spoof them. Secondly, it is a significant security step, because if someone really got malicious they would not be able to access the authentication token, since that would reside in a separate domain called passport.com." Eliminating the long URLs is an important security enhancement, Smith said. "It's good that all that gobbledygook goes away because it makes it more difficult for the bad guys to redirect you to what appears to be a legitimate Passport site but is not. But there are still some issues here," where someone could create a fake Passport page and "users aren't savvy enough to look at the address bar." Microsoft also is making it easier for people to convert a Kids Passport account into a full-fledged Passport. During the sign-up process users must give their birth date and year, but Microsoft has found too common a situation where the current date is entered in that field by accident. This automatically turns the account into a Kids Passport. The process of contacting customer service to convert the account to a full Passport could at times be burdensome, Sohn admitted. Users will now be able to convert the accounts online by providing, say, a credit card number. "We don't store that information," Sohn said. "We just go out and check that information and then, basically un-kid you." The final change addresses one of the biggest gripes made about Passport, by consumers, privacy groups and even during Microsoft's antitrust case: account cancellation. In theory, an account can be closed through Passport customer service, but some users have complained this isn't easy to do. J. Belkin, of Danville, California, said he signed up for Passport to take advantage of a 20 percent discount offered through MSN. "I found out afterward, there's no way to purge that info so I went and changed everything to nonsensical info." Microsoft will now provide a tool that will let Passport holders cancel their accounts online. "We built in the logic so we have different tasks for different kinds of Passports," Sohn said. "So if you decide you want to close your Hotmail Passport account, we're obviously going to give you a different experience than if you just want to close 'joe@passport.com.' That way you don't accidentally close an account." Microsoft started notifying Passport users of the changes around 9 p.m. (PDT) on Monday. For some Passport users, the changes are nice, but not necessary. "I don't have any real problems with Passport. I think it's a good service," said Donny Kavanagh, a Passport user from Ontario, Canada. "When it comes to having one login for all the Microsoft as well as partner Web sites then you really can't complain. It makes things a lot easier." Passport rejected Microsoft did not make the changes in response to a Federal Trade Commission (FTC) complaint about Passport, Sohn said. "This is all stuff that's been in the works for some time." In early August, Microsoft settled with the FTC over privacy problems and potential security breaches with the Passport service. The FTC responded to a July 2001 complaint filed by 14 consumer and privacy groups, including the Electronic Privacy Information Center and Junkbusters, that Passport and its accompanying Wallet service violated Section 5 of the Federal Trade Commission Act. The FTC's six-page complaint faulted Microsoft for failing to adhere to its own privacy policy, among other violations. The agency found potential problems with Passport security, although no breaches were uncovered. Microsoft agreed to government oversight for 20 years, third-party certification and stricter security measures and changes to its privacy policies and practices. Microsoft already has started that process. Windows Media Player 9 Series, which will be available in a beta, or testing, version on Wednesday, delivers a new, prominently displayed privacy options control and privacy statement. Microsoft next year plans to launch TrustBridge, a single ID service similar to Passport but built for businesses. That ID can be created through Passport; Active Directory, which is Microsoft's directory server software included with Windows 2000 Server; or through any other ID system on any operating system that supports Kerberos, a network security standard. Microsoft also plans to add Kerberos security to Passport sometime next year. Microsoft also faces other challenges wooing customers to use Passport. In April, market researcher Gartner found that the majority of consumers are distrustful of using online identity and authentication account such as Passport. Gartner found that most people sign up for an account because they are forced to, but that doesn't necessarily mean they use the IDs. Microsoft requires a Passport to use Hotmail, MSDN and other services and to use some features found in Windows XP. Gartner found concern about security of personal data, such as credit card numbers, to be one of the biggest reasons consumers resisted online authentication services. Belkin falls into that category. "I would bet there are more days in a year that we hear of some security breach for a Microsoft product than days we do not," he said. "I do trust merchants that seem to offer prompt customer service like Amazon...and in a sense, when I order stuff from their auctions and used stores, it's sort of the same thing as a Microsoft Passport -- but I trust them."

---