The first change only affects new account holders, who will no longer be able use a bogus email address to establish a Passport. Microsoft requires consumers to use an email address as their Passport ID, but had not mandated that the address be legitimate or belong to the account holder. Consumers signing up for new Passports will now receive an email that requires them to validate receipt of the message to permanently establish the account. "The owner of the inbox that email address belongs to can either verify that account or say, 'Hey wait a minute, someone's trying to hijack my email address,' and stop it," Sohn said. "You have a short grace period in which to verify your account." Initially that would be four days or five logins. But Microsoft could adjust the grace period, depending on user feedback. The second change could bolster Passport security. Microsoft is moving all the information viewed in a Web browser, such as the login page or member services, to servers hosted in a domain separate from the authentication components. That information would come from passport.net rather than passport.com. The two-domain mechanism also will eliminate the long, hard-to-decipher URL the user sees in the browser's Web address bar. "This enables two things," Sohn said. "No. 1, users will very easily see that URL, know that they're at the right site and that someone is not trying to spoof them. Secondly, it is a significant security step, because if someone really got malicious they would not be able to access the authentication token, since that would reside in a separate domain called passport.com." Eliminating the long URLs is an important security enhancement, Smith said. "It's good that all that gobbledygook goes away because it makes it more difficult for the bad guys to redirect you to what appears to be a legitimate Passport site but is not. But there are still some issues here," where someone could create a fake Passport page and "users aren't savvy enough to look at the address bar." Microsoft also is making it easier for people to convert a Kids Passport account into a full-fledged Passport. During the sign-up process users must give their birth date and year, but Microsoft has found too common a situation where the current date is entered in that field by accident. This automatically turns the account into a Kids Passport. The process of contacting customer service to convert the account to a full Passport could at times be burdensome, Sohn admitted. Users will now be able to convert the accounts online by providing, say, a credit card number. "We don't store that information," Sohn said. "We just go out and check that information and then, basically un-kid you." The final change addresses one of the biggest gripes made about Passport, by consumers, privacy groups and even during Microsoft's antitrust case: account cancellation. In theory, an account can be closed through Passport customer service, but some users have complained this isn't easy to do. J. Belkin, of Danville, California, said he signed up for Passport to take advantage of a 20 percent discount offered through MSN. "I found out afterward, there's no way to purge that info so I went and changed everything to nonsensical info." Microsoft will now provide a tool that will let Passport holders cancel their accounts online. "We built in the logic so we have different tasks for different kinds of Passports," Sohn said. "So if you decide you want to close your Hotmail Passport account, we're obviously going to give you a different experience than if you just want to close 'joe@passport.com.' That way you don't accidentally close an account." Microsoft started notifying Passport users of the changes around 9 p.m. (PDT) on Monday. For some Passport users, the changes are nice, but not necessary. "I don't have any real problems with Passport. I think it's a good service," said Donny Kavanagh, a Passport user from Ontario, Canada. "When it comes to having one login for all the Microsoft as well as partner Web sites then you really can't complain. It makes things a lot easier." Passport rejected Microsoft did not make the changes in response to a Federal Trade Commission (FTC) complaint about Passport, Sohn said. "This is all stuff that's been in the works for some time." In early August, Microsoft settled with the FTC over privacy problems and potential security breaches with the Passport service. The FTC responded to a July 2001 complaint filed by 14 consumer and privacy groups, including the Electronic Privacy Information Center and Junkbusters, that Passport and its accompanying Wallet service violated Section 5 of the Federal Trade Commission Act. The FTC's six-page complaint faulted Microsoft for failing to adhere to its own privacy policy, among other violations. The agency found potential problems with Passport security, although no breaches were uncovered. Microsoft agreed to government oversight for 20 years, third-party certification and stricter security measures and changes to its privacy policies and practices. Microsoft already has started that process. Windows Media Player 9 Series, which will be available in a beta, or testing, version on Wednesday, delivers a new, prominently displayed privacy options control and privacy statement. Microsoft next year plans to launch TrustBridge, a single ID service similar to Passport but built for businesses. That ID can be created through Passport; Active Directory, which is Microsoft's directory server software included with Windows 2000 Server; or through any other ID system on any operating system that supports Kerberos, a network security standard. Microsoft also plans to add Kerberos security to Passport sometime next year. Microsoft also faces other challenges wooing customers to use Passport. In April, market researcher Gartner found that the majority of consumers are distrustful of using online identity and authentication account such as Passport. Gartner found that most people sign up for an account because they are forced to, but that doesn't necessarily mean they use the IDs. Microsoft requires a Passport to use Hotmail, MSDN and other services and to use some features found in Windows XP. Gartner found concern about security of personal data, such as credit card numbers, to be one of the biggest reasons consumers resisted online authentication services. Belkin falls into that category. "I would bet there are more days in a year that we hear of some security breach for a Microsoft product than days we do not," he said. "I do trust merchants that seem to offer prompt customer service like Amazon...and in a sense, when I order stuff from their auctions and used stores, it's sort of the same thing as a Microsoft Passport -- but I trust them."
E-commerce is transforming business around the globe. Get the latest headlines at ZDNet UK's E-commerce News Section.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.
