In an effort to popularize Passport as a platform for user authentication, Microsoft will make freely available the source code for Passport Manager, the server component that Web sites need to implement Passport. This will enable ISVs to port Passport Manager to other operating systems and to build Passport authentication into applications. Microsoft is also making Passport authentication stronger by providing new tools for end users and working with partners. Microsoft believes these moves will help popularize Passport among corporations and help stave off the Liberty Alliance, which recently released an open-source tool for creating Liberty-compliant applications.

Open Source Helps ISVs Support Passport

Beginning in Nov. 2002, Microsoft will license the source code for Passport Manager, a server-side COM object that companies must install to implement the Passport authentication service on their Web sites. The source code will be available for free under Microsoft’s Shared Source License, and companies will be able to modify or redistribute it as part of commercial products.

Microsoft believes that opening the source code will increase the corporate user base for Passport in two ways: by making it easier to create versions of the Passport Manager that can be installed on Unix systems, and by making it easier for ISVs to build Passport support into other corporate applications.

Unix-based Passport Manager. Currently, Passport Manager is easiest to install on Windows servers running Internet Information Services (IIS, Microsoft's Web server), although Microsoft also makes versions available for the Apache and IPlanet Web servers running on Sun Microsystems' Solaris (a version of Unix) and Apache running on Linux. By opening the source code, Microsoft makes it possible for ISVs to create and, equally important, support versions of Passport Manager that can be installed on many other flavors of Unix. For example, Ready-to-Run—the ISV that created the Unix versions of Passport Manager for Microsoft—will sell versions of Passport Manager for IBM's AIX, Hewlett-Packard's HP-UX, Red Hat Linux, and Solaris.

Passport in other applications. Microsoft also believes that source-code access will make it easier for ISVs to incorporate Passport Manager into other applications.

An example of the type of application Microsoft has in mind is OpenNetwork's DirectorySmart software. DirectorySmart runs on top of Windows Active Directory and enables corporations to give users (e.g., employees, partners) a single sign-on ID for accessing many different types of resources (e.g., Internet and extranet sites, applications) running on various platforms and protocols. OpenNetwork recently built Passport support into DirectorySmart, enabling users to log on to corporate resources using their Passport IDs.

By revealing the Passport Manager source code, Microsoft hopes to make it easier for other ISVs to follow in OpenNetwork's footsteps.

Stronger Authentication

Passport currently offers fairly weak authentication: users need enter only a valid e-mail address and a six-character password. For Passport to become a truly universal platform, it must support stronger authentication. Recent demonstrations by the company suggest two ways that Microsoft will work toward this goal:

Working with partners. Microsoft is encouraging ISVs to incorporate Passport into other authentication systems that offer stronger authentication.

For example, RSA Mobile, a two-factor authentication service for Web sites that need extra security (e.g., finance, insurance, or healthcare customer-service sites), recently announced it will incorporate Passport. The system will allow a customer to sign into a secure Web site with a Passport ID; to further verify the user's identity, the site will then send a one-time access code to the customer's mobile phone via Smart Message Service. (The customer must share a mobile number with the site when signing up.) The customer will then enter this one-time code into the browser. So even if an attacker can steal a user's Passport username and password, the attacker must also have the user's cell phone to log on to the site.

New tools for end users. Microsoft Chief Technology Officer Craig Mundie recently demonstrated a prototype tool that checks end users' Passport passwords, alerts them if they are too easy to guess, and makes suggestions to make them stronger (e.g., use a combination of numbers, letters, and symbols; don't use easily guessed words or dates). The company says this is just one of many tools that Microsoft is considering adding to the Passport service to strengthen authentication.

Eventual Goal: Passport as Standard

Passport is not a significant revenue generator for Microsoft (companies pay an annual fee of $10,000 and periodic maintenance fees of $1,500 to implement the service on public Web sites). But the company believes that a platform-level user authentication service is necessary to popularize interorganizational Web services: companies will not expose their data as Web services unless they can be reasonably sure that outsiders accessing this data are who they say they are. Although each company could set up its own authentication system for this purpose, Microsoft believes a universal service based on common standards will make it easier for these authentication systems to interoperate or "federate" with one another.

Meanwhile, plans for a competing authentication platform proposed by the Liberty Alliance, a consortium of companies led by Microsoft rival Sun, continue to move forward. Liberty released the first version of its specification, which is based on protocols different from Passport, in July 2002, and Sun's Identity Server 6.0, expected by the end of 2002, will be the first shipping product to support Liberty. In September, Sun released a tool consisting of Java source code samples that implement the Liberty specification; corporate developers and ISVs can use this tool to build and test Liberty-compatible applications.

Microsoft would prefer to support only one platform for authentication—its own. By releasing the Passport Manager source code and strengthening its authentication, Microsoft hopes to create a thriving group of Passport development partners and increase corporate adoption before Liberty gets off the ground. Yet, if Liberty does become popular, Microsoft and the consortium will almost certainly take steps to allow the two systems to interoperate.

Resources

To apply for a license to view the Passport Manager source code, see www.microsoft.com/sharedsource. The program will begin in November.

For background on Passport Manager and the process of implementing Passport, see "A Closer Look at Passport" on page 12 of the Oct. 2001 Update.

For more information on DirectorySmart, see www.opennetwork.com.

For more information on RSA Mobile, see www.rsasecurity.com/products/mobile.

For more information on the Liberty Alliance, see www.projectliberty.org/.