Microsoft on Thursday rushed to put the kibosh on talk that it was abandoning the single sign-on Passport identity management service.
But even as company officials insist that Passport “will be around for a long time,” it has become increasingly clear that a series of security-related hiccups has ruined consumer trust in the Web-based tool.
Online auction and e-commerce giant eBay Inc. announced it would discontinue support for Passport and .NET alerts early in the new year, following several other high-profile sites in ditching the service.
eBay did not provide reasons for the sudden decision. In a note posted online, the company said existing Passport customers would have to sign in directly through the eBay log-in process.
“[T]he Microsoft Passport button that is currently displayed on sign-in pages will be replaced with links to a page with more information, including Help in case you cannot remember your user ID or password,” according to the notice.
Despite losing a high-profile client, Adam Sohn, product manager for Passport at Microsoft Corp., maintained a brave front.
“Passport will be around for a long time. We still use it across all our sites and nothing has changed in that regard,” Sohn told eWEEK.com. He said the service would continue to provide single sign-on service for millions of MSN Hotmail users and other Microsoft-owned services.
Third-party companies that use Passport will continue to receive support, he added.
“We are committed to providing partners with a secure and flexible authentication service,” Sohn said. “eBay’s decision is not a reflection of our strategy.”
Microsoft also released a brief statement that confirmed a strategic shift in the company’s thinking on Passport and removed the .NET directory listing.
Instead of marketing Passport to third-party companies looking for a one-stop shop where personal information is stored and used for online activity, the focus will shift to providing identity management for Microsoft-owned businesses.
“Over the past couple of years, Microsoft learned a lot working with partners and customers and shifted the focus of the service to serve as a great single sign-on solution for consumers of MSN and Microsoft online services, as well as working with close partners where it made sense for both parties,” the statement read.
At the same time, Microsoft said it was making progress with industry partners on a set of specifications for federation based on Web services. “[We] fully expect the Passport service to federate where appropriate via these Web services-based protocols.”
Last year, after news leaked out that a serious security hole in the Passport service had put millions of users at risk of identity theft attacks, research firm Gartner issued a scathing report warning enterprises against adopting Passport.
The Gartner warning, issued by analysts John Pescatore and Avivah Litan, accused Microsoft of failing to thoroughly test Passport’s security architecture, adding that the security vulnerability raised “serious doubts about the reliability of every Passport identity issued to date.”
Microsoft’s Passport pullback could turn into a big win for the likes of Verisign Inc. and RSA Security Inc., two companies hawking two-factor authentication solutions for enterprises.
Verisign’s Unified Authentication managed service gives businesses the ability to deploy USB (Universal Serial Bus) tokens to all of their users for two-factor authentication, while allowing Verisign to manage the infrastructure.
RSA Security’s SecurID hardware tokens are already being used by America Online Inc.’s subscribers to offer a secondary tier of protection for online accounts.
Judy Lin, vice president of security services at Verisign, said she thinks the security hiccups proved to be Passport’s downfall. “Over the past 12 to 18 months, there has been an increased focus on security. We’ve all seen the increase in scams like phishing and identity theft so, for identity management to work, it has to be done in a secure environment,” Lin said.
“Whether it’s eBay, the service providers or the financial services institutions, they are focused on security. We’ve seen very strong interest in two-factor authentication. They’re looking more and more at a physical device in place of a password to sign on to important and critical applications.”
Lin believes the convenience of a single sign-on service would be appealing only if it comes within a secure foundation. “If you’re going to use a password to protect all your sensitive information and all your online applications, there will always be that element of worry,” she added.
Instead, she said Verisign’s two-factor tokens let users enter a secret, static PIN on a key ring-sized device to generate unique, one-time passwords. The generated digits change on the fly and can be used to authenticate an existing password on the PC. Subsequent log-ins require generation of new passwords.
Officials from RSA Security could not be reached for comment.
Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.