RealTime IT News

eBay Nixing Microsoft's Passport

UPDATED: Microsoft has lost another partner to market its single sign-on services after auction giant eBay said it will no longer support Passport and its .NET alerts.

In a notice released late Wednesday, eBay said members will have to sign in through eBay directly starting in late January.

"Once this takes place, the Microsoft Passport button that is currently displayed on Sign In pages will be replaced with links to a page with more information, including Help in case you cannot remember your User ID or password," the notice said.

eBay also said it will discontinue sending eBay Notifications through Microsoft .NET alerts, and recommended that users who would like to continue receiving auction updates will be able to sign up and get them through their mobile phone or PDA.

Microsoft, meanwhile has nixed its site directory for Passport, although Passport will be very much a way of life for users of Microsoft's Web sites, such as its e-mail offering Hotmail.

"We have discontinued our Site Directory, but you'll know when you can use your Passport to make sign-in easier. Just look for the .NET Passport Sign In button!" a notice on its Passport site said.

In October, online job listing company Monster.com stopped using Passport after three years as a partner.

The latest move from eBay raises the question of whether Passport has a future in Redmond's vision of using the sign-on system for accessing secure Web services .

Many analysts believe Web services, distributed computing that allows applications to communicate with one another, will only work if vendors can promise safe, trustworthy single sign-on services to users. For example, experts expect a combination of single sign-on and Web services to enable shoppers to purchase goods in a mall through a handheld computer.

But Microsoft has been faced with mounting concerns about security due to a rash of security issues in its Windows operating system and IE browser. The problems have left some customers and partners leery about subscribing to Passport or other services that require users to provide their personal information, such as address and credit card data.

The situation wasn't helped in 2003 when two security analysts for Gartner urged financial institutions and other enterprises to stop using Microsoft's .NET Passport service.

"Microsoft failed to thoroughly test Passport's security architecture, and this flaw --- uncovered more than six months after Microsoft added the vulnerable feature to the system -- raises serious doubts about the reliability of every Passport identity issued to date," according to a report at the time by John Pescatore and Avivah Litan for Gartner.

"[Passport] lost momentum a long time ago, and now we have significant evidence of market erosion. I'm sure this is not the last such case we'll hear about," Forrester security analyst Jonathan Penn Penn told internetnews.com.

"Remember, eBay is being hit by fraud via phishing and keystroke logging attacks on its customers," he said. "The last thing they need to worry about when dealing with all these account compromises is an open door over which they have no control. The security weaknesses and lack of control participating organizations have in Passport (being a centralized, MS-run service) is undoubtedly a big factor behind eBay's decision."

The company also faces tough competition regarding single sign-on and authentication systems. HP , Sun Microsystems and others offer their own federated identity service through the Liberty Alliance, which IBM joined in October along with seven other members.

"Authentication remains a widespread industry issue," Earl Perkins, a security analyst at META Group, said of Liberty at the time. "An organization capable of leveraging support from influential companies across industries and developing and model that makes strong authentication convenient, affordable, and interoperable between infrastructures and authenticators... is well positioned to drive widespread adoption."

A Microsoft spokesperson said the company's commitment to providing partners with secure and flexible authentication services has not changed.

"Over the past couple of years, Microsoft learned a lot working with partners and customers and shifted the focus of the service to serve as a great single sign-on solution for consumers of MSN and Microsoft online services, as well as working with close partners where it made sense for both parties," the spokesman said.

"At the same time, Microsoft and industry partners have been making great progress on a set of specifications for federation based on web services, and fully expect the Passport service to federate where appropriate via these web services-based protocols."

Updates prior version with Forrester analyst comment and to include a comment from a Microsoft spokesperson.