put out a call for the creation of a “federated” authentication system Thursday, saying it plans
to open its Passport authentication system to interoperate with enterprises, network and other service operators to deliver
universal single sign-in spanning multiple organizations and services.
In layman’s terms, the move is designed to spur the development of a system whereby Internet users create a single, secure online
identity to represent them across the Internet — from signing in to corporate networks to shopping at an e-commerce site. While
Microsoft is offering to open up its own service to arch-rivals — like AOL Time Warner Inc., which is hard at work on its own
“Magic Carpet” authentication system — and other companies, the major motivating factor appears to be advancing its own HailStorm
and .NET initiatives.
“The challenge of providing universal single sign-in is larger than any one company,” said Bob Muglia, group vice president of .NET
services at Microsoft. “We invite the industry to participate in this federated model that bridges today’s islands of authentication
into a trusted network for users, Web site operators, wireline and wireless carriers, and corporations that will unlock the power of
Web services, which is the foundation of our .NET vision.”
Gary Hein, analyst with The Burton Group and author of the report “Deciphering Microsoft .NET,” said Microsoft’s proposal sounds promising for both consumers and the industry as a whole, but the real story will lie in the fine print.
“We need further details from Microsoft — what this actually means,” Hein said. “I think the jury’s out until we have more technical information from Microsoft.”
Hein said Microsoft remained vague as to whether its proposal is completely open — for instance, allowing a competitor to create a competing authentication service that interoperates with Passport — or if competitors will simply be allowed to utilize the Passport service but not replace it.
“You can play this scenario out in two ways,” Hein said. “If it truly is open and AOL or anyone else can come out and truly have equal footing with Microsoft, this is a big win for the consumer. If, on the other hand, this openess isn’t quite as open as it appears, then I don’t expect to see widespread adoption.”
Passport currently allows users to sign-in to a Microsoft site, like Hotmail, and then travel to other Microsoft sites without
signing in again. For instance, users could sign-in at the MSN portal, and then go directly to their Hotmail inboxes without having
to sign-in again. The service also includes Passport Digital Wallet, which allows users to store personal and credit card
information which can then be used to automatically fill out forms at Passport-enabled e-commerce sites.
Microsoft’s new proposal would extend those capabilities beyond its network of sites by inviting the entire industry to participate
in the creation of a broader Internet trust network, similar to the system that allows ATM card holders to use any ATM, owned by any
bank, regardless of the bank that issued the card.
“This federated model allows organizations to retain fine-grained and secure control over their user identities, profiles and other
business data, while participating in a trusted network that delivers a unified experience to users,” Microsoft said. “The trust
network is built on a common set of technical and operational guidelines and is open to any organization supporting those standards.
Microsoft will lead in the formation of this network by making Passport, the world’s leading Internet authentication system,
available for federation with other authentication systems.”
For Microsoft, widespread adoption of the Passport service, or at least a number of interoperable authentication services, is critical to the success of HailStorm, now officially named “.NET My Services,” according to Hein. .NET My Services has absorbed many of the “identification” features that were formerly a part of Passport, which has been more or less streamlined into a “pure” authentication service which .NET My Services leverages.
Essentially, Microsoft is facing a classic “chicken and egg” scenario when it comes to .NET My Services.
“How will Microsoft convince developers and Web sites to leverage HailStorm if there are no subscribers?” Hein asked. “How will Microsoft convince users to subscribe to HailStorm if only Microsoft Web sites leverage HailStorm?”
But a universal authentication system makes services like HailStorm much more viable by creating a large stable of users capable of utilizing the service.
“If there are no strings attached, it’s good for the consumer because it will provide greater features in their Internet experiences, and it’s good for Microsoft because it will create more subscribers for Microsoft .NET My Services,” Hein said.
Microsoft proposed that the Kerberos 5.0 protocol, developed by the Massachusetts
Institute of Technology (MIT) and standardized by the Internet Engineering Taskforce, be adopted as the standard of the federated
authentication network. Kerberos utilizes secret-key cryptography to provide security for client/server applications. Once a client
proves its identity to a server (or vice versa) using Kerberos, that client and server can encrypt all their communications to
ensure privacy and data integrity.
But while Hein said using Kerberos is a good move on Microsoft’s part, “because in many ways it’s going to strengthen the security of Passport,” he also noted that there is a fair bit of bad blood between Microsoft and the Kerberos community.
Microsoft included Kerberos with its Windows 2000 operating system, but added extensions that blocked the use of some competing server software. Many members of the Kerberos community felt that betrayed the open nature of the Kerberos protocol.
However, Hein noted, “The things that got them in trouble with the Kerberos community in Windows 2000 aren’t likely to be present in Passport.”