inset
A Closer Look at Passport
Sep. 10, 2001

Passport, Microsoft's system for authenticating users, is becoming increasingly important to the company's future. A broad array of future services will tap into Passport, and it provides an important proof-of-concept for Microsoft’s vision of Web-based services. Microsoft not only requires Passport for many of its own Web sites but is also linking to it from within Windows XP, and encouraging third parties to implement it on their own sites. Organizations and users stand to gain some benefits from Passport, but companies should understand its design, implementation, and possible downsides, and users should understand exactly what information Passport collects and how it is used. (See the sidebar "Is Passport Paranoia Justified?".)

What Passport Does for Microsoft

Microsoft introduced Passport in 1999 to make MSN more convenient for users. Passport allowed users to access any MSN property while using a single username and password, and to store certain information necessary for e-commerce—such as their credit card numbers and shipping address—in a centralized "Wallet," so they could make purchases without reentering this information. Passport not only improved the MSN user experience but also provided Microsoft a way to gather aggregate demographic and usage information, such as the average age of Hotmail users or the average number of MSN sites a user signed into in a single month. (Passport's architecture and privacy policies prevent Microsoft from using this information to target specific marketing messages at individual users.)

Once Passport was established, Microsoft quickly extended it: today, users must use Passport to sign in to nearly all of Microsoft's consumer services (such as MSN Messenger and MSN Internet Access) and to many of its corporate sites (such as eOpen, which tracks the status of license agreements).

Why Third-Party Adoption Is Important

To move Passport beyond Microsoft’s own properties, the company introduced Passport Express Purchase (EP), which allows users to share their Wallet information with third-party Web sites, and released a Passport SDK, allowing other companies to implement Passport Single Sign-In (SSI) authentication on their Web sites. (The rest of the industry calls this functionality single sign-on, and abbreviates it SSO.) It also created Kids Passport, hoping that this service would spur Passport implementations among businesses anxious to comply with the Children's Online Privacy and Protection Act (COPPA).

Microsoft currently charges no fees for businesses to use Passport, although the company does plan to cover costs by imposing an annual licensing fee and heavy-usage charges in the future, most likely when the HailStorm Foundation Services become available in early 2002. (For background on HailStorm, see "HailStorm Fulfills Crucial Roles for .NET" on page 18 of the May 2001 Update.) Microsoft has stated that it will never charge consumers to use Passport.

If Microsoft gains no direct revenue from Passport, why is the company encouraging third parties to implement it on their Web sites? There are several reasons:

Create a user base for fee-based services. By opening Passport to third parties, the company hopes to spur consumer adoption: the more sites that offer Passport, the more reason users will have to sign up. Microsoft then hopes to monetize this user base by encouraging Passport users to sign up for future, fee-based Web services, most notably the HailStorm Foundation Services.

Proof of concept. Web services are a fundamental part of the .NET vision. Although Passport does not currently use XML or the Simple Object Access Protocol (SOAP), as future .NET Web services will, it shows that Microsoft can run a reliable, scalable, and secure Web-based service—crucial if the company is to convince businesses and users to trust it with future services, such as the HailStorm Foundation Services.

Promoting the "Web lifestyle." Widespread adoption of Passport would make it easier for users to shop online and perform other functions for which authentication is required. Microsoft hopes this ease-of-use will drive consumer demand for PCs and other Internet-connected devices running Microsoft software, and will encourage consumers to turn to the Web for more and more tasks, driving demand for server applications such as SQL, BizTalk, and Commerce Server, and other Web-centric products, such as FrontPage, bCentral, and MSN Internet Access.

Passport's Appeal

To achieve these goals with Passport, Microsoft must evangelize its benefits to consumers and to third-party Web sites.

Consumers. Passport's appeal to consumers comes primarily in added convenience. Instead of remembering dozens of passwords and user IDs for multiple sites, and reentering their information every time they come to a new site, consumers can tap Passport for all this information and easily pass it to participating sites. With Windows XP, users can even enter their Passport information into a wizard, then allow the operating system to share their credentials automatically with participating sites. (Windows XP users may still have to type in a password, depending on the individual site's sign-in criteria.)

EP for e-commerce sites. Passport EP presents some clear benefits to e-commerce sites, and more than 60 sites currently use it. First, it reduces the barrier to successful transactions by allowing customers to make purchases without manually entering payment information. Passport EP also provides an inexpensive way for organizations to associate a unique ID with each shopper, making it possible to cross-reference a user’s Wallet information with other information, and to track shoppers among different e-commerce sites operated by the same company.

SSI for all sites. The benefits of implementing SSI are less obvious and, so far, Microsoft has had little luck getting third-party sites to implement SSI—at press time, only six third-party sites offered it. Apart from enabling e-commerce transactions (which can be done more easily through EP), there are only two logical reasons for a site to put up an authentication barrier. The first is to grant access to fee-based services or premium sections of a Web site. This could become increasingly common, especially if Web advertising revenues remain weak. The second reason is to collect information about each user for marketing purposes. Although Passport no longer collects personal information from users, SSI provides an easy way to associate a consistent user identity with personal information collected by the site through other means.

Passport Single Sign-In

Derived from the authentication process for Hotmail (acquired in Jan. 1998) and Firefly Technology's personalization technology (acquired in Apr. 1998), Passport SSI is the core Passport service. All other Passport services use SSI, and it will be the authentication system for many of Microsoft's future initiatives, including all services that tap into the HailStorm Foundation Services.

Creating an SSI Identity

Users create an SSI identity by entering a valid e-mail address and password at the Passport sign-up page or in the Passport Wizard in Windows XP. In addition, all Hotmail users (including those who get a Hotmail account through affiliated ISPs, such as MSN Internet Access) are automatically assigned a Passport based on their e-mail address and password.

Users who create a Passport at the Passport sign-up page are no longer asked to share any personal information. However, if users create a Passport account through Windows XP, or by signing up at some other site, such as Hotmail, they might be asked to enter some personal information, such as their state, ZIP code, and gender; Passport will share this information with participating sites under certain conditions. (For details, see the sidebar "Is Passport Paranoia Justified?".)

The SSI Process

Although the underlying implementation details are dramatically different, Passport's concepts are very similar to the proven Kerberos authentication scheme used by Windows 2000 Active Directory and many Unix systems.

Passport SSI uses a combination of cookies and redirected HTTP requests with encrypted query strings to authenticate users and share user-approved personal information with participating sites. No server-to-server communication ever takes place between the participating Web site—even a Microsoft-owned site such as MSN—and the Passport servers. This eliminates any possibility that restricted material, such as password-related information, will inadvertently be shared with participating sites.

For a detailed chart showing the step-by-step authentication process, see "Passport Single Sign-In Process".

By default, closing the browser automatically deletes all Passport cookies from the user's machine and ends the user's Passport session. However, users have the option to continue a session even if they close their browser or turn their computer off. By maintaining the session, they reduce the number of sign-in screens they encounter when they continue browsing. If they choose this option, they can end their Passport session only by clicking a "Passport sign out" icon that appears on participating SSI sites. (For details, see the sidebar "Passport Sign Out".)

Kids Passport

SSI sites can also implement the Kids Passport service, which is architecturally almost identical to the basic SSI service. With Kids Passport, Passport checks for an "under 13" flag in the personal information stored for a user and, if this flag is present, redirects the user to parental permission screens (where the parent must enter his own Passport information, then grant or deny permission to the site), or prompts the user to send an e-mail to a parent requesting permission (this e-mail contains the URL for the permission screens).

More than a year after the introduction of Kids Passport, only three third-party sites have incorporated it.

Passport Express Purchase

Passport Express Purchase (EP) enables users to store their credit card information, billing address, and shipping address in a centralized Wallet, then instantly post this information to participating e-commerce sites, rather than entering it manually. Because it is easier to implement and provides more immediate benefits, EP is far more popular than SSI or Kids Passport.

How EP Works

To use EP, the user must already have a Passport ID and password. The user initiates the EP process by clicking the Passport Express Purchase icon on any participating e-commerce site, which redirects the user's browser to the Passport EP servers.

EP authenticates the user exactly like any participating SSI site, then transfers the user's Wallet information and Passport ID to the e-commerce site over a secure connection. The e-commerce site then uses this information as if the user had entered it directly. The e-commerce site plays no part in authenticating the user.

For a detailed chart showing the step-by-step EP process, see "Passport Express Purchase Process".

Implementing Passport

Organizations must go through the following steps to implement Passport services on their Web sites:

1. Download the Passport SDK (SSI only). The Passport SDK includes the necessary software and administrative tools for implementing SSI, as well as example sites for reference. The current version, Passport SDK 1.4, requires Windows NT 4.0 Service Pack 4 or later, IIS 4.0 or later, and Internet Explorer 4.0 Service Pack 2 or later (to view the reference sites). Businesses should note that Passport SDK 2.0, offering significant new benefits, is expected in October (see "Should Businesses Wait?" below).

The SDK is not required for implementing EP.

2. Obtain a preproduction ID. All Passport SSI and EP sites must be tested in a preproduction environment and approved by Microsoft before going live. To enable this, sites must register for a preproduction Site ID (SSI sites also must get a preproduction decryption key) and create a preproduction site on a URL that Microsoft can access.

3. Install Passport Manager /EP button. The Passport SDK contains the Passport Manager, a COM object that enables sign in, sign out, and data collection. Passport Manager is responsible for decrypting the Passport information sent in HTTP redirects, and reading and writing cookies to the user's machine. It also periodically downloads XML documents from Passport that contain the latest URLs of the appropriate Passport servers for the redirects, as well as descriptions of the "profile schema"—the formats in which users' personal information is stored and transmitted.

Passport EP does not require the Passport Manager. Instead, an organization must simply place the EP button in the appropriate location on its e-commerce site (usually below the shopping cart), associate this button with the appropriate URL to redirect users to the EP servers, and create the query strings that send the necessary information (the Site ID and Return URL) to Passport when the user clicks the button. EP sites must also be able to receive users' Wallet information via HTTPS-POST.

4. Create co-branding templates. The participating site must create templates with its own graphics and text to ensure that the co-branded Passport sign-in page and/or Wallet page reflects the site's look and feel.

5. Submit the checklist. After the preproduction site is complete, organizations must submit to Microsoft a checklist that has specific interface design, architecture, and security requirements (for example, the site must have the necessary scripts installed to remove its Passport cookies when the user logs off).

6. Production ID and key. Microsoft ensures that the preproduction site meets all the checklist criteria and, if so, issues a production Site ID (and, for SSI sites, a production decryption key). The site may now go live.

Unix Implementations

A Unix version of Passport SDK 1.4 is available for sites using Apache or IPlanet Web servers on Sun Solaris; and for Apache on Linux. Organizations using other Web servers or versions of Unix may be able to use Passport SDK 1.1.

Because the Passport Manager is system code, rather than application code, Microsoft warns that SSI implementations on Unix are relatively complex and require a team with significant experience in Unix system administration, systems programming, application programming, and Web development. More details about Unix SSI implementations are available in the SDK documentation.

EP does not use the Passport Manager or the Passport SDK, and therefore can be implemented on Unix platforms with no additional strain.

Unproven Reliability, Demand

The primary risk for businesses considering Passport is that the Passport servers could become unavailable because of a denial-of-service attack or other failure. Microsoft's Director of .NET Platform Strategy, Adam Sohn, says, "We do many things to ensure the security and availability of the service, from physical distribution and redundancy to strong physical access controls to the data center to sophisticated intrusion detection and monitoring." He suggests that the company might allow third-party audits of Passport and other .NET Web Services to provide more details to businesses worried about these issues. Passport has so far been unaffected by outages that have taken down other Microsoft services. (See "Web Outages Raise Reliability, Security Questions" on page 21 of the Mar. 2001 Update and "MSN Messenger Suffers Outage" on page 30 of the Aug. 2001 Update.)

In addition, many Web users are ignorant of Passport's potential benefits, or do not trust Microsoft with their personal information. According to a recent Gartner survey, only 11 percent of U.S. adult Internet users "strongly believe that Passport will improve their online experiences," and about 70% of non-Passport users are "very unlikely" to sign up for Passport within the next six months. Moreover, about one-third of all online consumers are "very concerned" that Microsoft will either not keep their information secure or will sell it to third parties without consulting them. Although most other large Internet companies have the same problem (AOL is even less trusted than Microsoft, according to Gartner), businesses may not see much benefit from implementing Passport services if most Internet users do not plan to sign up for a Passport anyway. Microsoft must do a better job explaining Passport's benefits and assuring users that it will respect their privacy if it wants Passport to become ubiquitous on the Internet.

Finally, both AOL and Sun have announced plans to create and license competing authentication services. Although neither company has released technical details, and Microsoft has a two-year lead, one of these competing systems may eventually dominate, making Passport adoption a wasted venture.

Should Businesses Wait?

Businesses considering implementing Passport—particularly Passport SSI—on their sites might want to wait until after Oct. 2001, when two important events will occur. First, Microsoft will reveal more details of its Hailstorm Foundation Services at the Professional Developers' Conference. Second, Microsoft is expected to launch version 2.0 of Passport SSI (which it has already implemented on its own sites) and the Passport SDK 2.0. This upcoming version of SSI will be required for all businesses that want to offer services based on the HailStorm Foundation Services. It will also offer users enhanced privacy features, such as support for the Platform for Privacy Preferences (P3P) and alternate authentication credentials (such as PIN numbers), as well as the ability to log on from a variety of mobile devices with a variety of alternate authentication credentials, such as PINs and telephone numbers. (For details about P3P, see "Microsoft Treads Narrow Line on Privacy".)

After these events, it may be easier for businesses to make an educated decision about whether to implement Passport now, wait to incorporate Passport 2.0 as part of a larger HailStorm implementation, or pass on it completely.

Resources

Information about Passport for businesses is at www.passport.com/business/.

Technical information for developers, including links to download the SDK and all related documentation, is at www.passport.com/devinfo/. (A Passport is required to access this information.)

A less technical white paper, including some information about Passport 2.0, is at www.passport.com/business/whitepaper.asp.

Information about Passport for users, including links to the Passport privacy policy, is at www.passport.com/consumer.

Kids Passport is at http://kids.passport.com/.

The full text of the original complaint about Passport and HailStorm filed with the Federal Trade Commission is available at www.epic.org/privacy/consumer/MS_complaint.pdf. The updated complaint is at www.epic.org/privacy/consumer/MS_complaint2.pdf.