Daniel Blum: Take a pass on Microsoft’s Passport

Intranet Advisor

If you operate a consumer Web site, Microsoft Corp.’s Passport service merits consideration. But companies needing real identity management should pass on Passport.

Passport is part of Microsoft’s larger .Net initiative. In use today, Passport is a precursor to Microsoft’s My Services offering, which will provide identity management and Web services for calendaring, mail, to-do list and other conveniences – a sort of virtual Outlook.

Through Passport and .Net, Microsoft is striving to gain an indispensable position on the Internet. By tying Passport into Windows XP and its popular MSN services, Microsoft hopes to ensure at least half the world’s PC population ends up with a Passport account.

Can anyone stop Passport? Probably not America Online Inc., whose Magic Carpet service is still unreleased. Not the Liberty Alliance, an ungainly group currently long on rhetoric and short on substance. Privacy advocates and antitrust regulators have a better chance. Can you imagine Germany or China letting Microsoft create an online-identity database of their national users? I doubt it. But Microsoft has taken a step back, agreeing to “federate” Passport to other authentication services through Kerberos, although it’s unclear on what terms this federation will occur.

Although it may not establish a new monopoly, Microsoft is establishing a business model for Web services that many developers and content providers will find attractive. Business-to-consumer Web sites are plagued by high “drop-off” rates when users confront that unwanted registration screen. Business-to-consumer site operators should consider Passport if its security is sufficient for their use and they can obtain the service on a non-exclusive basis that still lets them “own” repeat-customer relationships.

As Passport (and eventually My Services) usage spreads, companies will be pressured to accept Passport credentials because many of their own staff and e-business users will have accounts. Companies also may find they need accounts for staff to use when registering for outside services, such as travel and benefits sites, and information sites such as Microsoft Developer Network.

However, companies should not rely on Passport for business-to-business or internal identity management. Researchers have identified potential security vulnerabilities, and the service has been hacked at least once. Being centralized, it’s vulnerable to denial-of-service attacks. It provides only a pseudonym under the control of an individual user, not an enterprise IT department.

Companies have no way of deleting Passport user accounts when users leave their organizations. They can’t even set policies for minimum password length or expiration. Rather than relying on Passport, companies should continue to manage identity internally, or look to external identity services operated by partners over whom they’ll have more control.

Blum is senior vice-president and research director with The Burton Group Corp., an integrated consulting, research and advisory service. He can be reached at dblum@tbg.com.