Kevin Tolly: Taking a pass on Passport

Boasting about 200 million users, Microsoft Corp.’s Passport authentication service is clearly the 800-pound gorilla of so-called “single sign-on.” While Microsoft can, no doubt, deal with its current security issues, there are enough other issues with the service that many users likely will just take a pass.

Passport is all about numbers – large numbers and 200 million users is enough to get anyone’s attention. But just because these millions are signed up doesn’t mean that they are eager to use the service, or even use it frequently.

Not surprisingly, Microsoft has made Passport mandatory for those who subscribe to paid services such as Microsoft Developer’s Network. Add to this MSN Hotmail and MSN Messenger and you’re already into the many millions. Even though the service is 4 years old, there are only about 100 sites listed in the Passport directory.

And when you look closer, you’ll note that about one-quarter of those sites are owned, in whole or in part, by Microsoft. EBay is a Passport partner that is cited over and over again. In the directory, eBay is listed a dozen times, once for each country site. Where is the momentum when, after four years, only about 80 non-Microsoft companies are listed? Why haven’t more joined?

Large numbers again play a role. This time it is the large number of dollars that businesses need to pay to experience the joy of Passport authentication. According to the Microsoft Passport Web site, companies large and small pay a yearly “provisioning” fee of US$10,000 plus a “periodic compliance testing fee” of US$1,500.

This shocked me. While this is nothing to current Passport companies such as Starbucks, USA Today and NASDAQ, it is not a fee that most small to midsize businesses would want to pay. Microsoft should take a lesson from itself and give away access to gain market share. Or it should at least establish a range of fees to accommodate smaller companies and guarantee a cost cap for three years.

Using Passport doesn’t eliminate the need for a Web site owner to write and maintain a user database, it only eliminates the need to maintain the authentication credentials (such as the password).

All this aside, we need to deal with whether single sign-on is a good idea. For practical reasons, Passport uses password-based authentication. And it is the alleged insecure handling of those passwords that has been the central theme of the recent brouhaha around Passport.

Even resolving the current issue does not fix the problem. The issue still remains that anyone who has access to my Passport password can access my account at any and all Passport sites. The more successful the service becomes, the bigger the problem a security breach would become.

Without a more secure authentication scheme – such as a token or some biometric reader – the password becomes everything. And it becomes a bigger lure for those interested in identity theft.

Microsoft brags that with Passport, “you can tailor sign-on pages to match your site design, providing a seamless experience for your customer.” That’s right – and providing a perfect setup for identity theft.

All one needs to do is build a faux Passport site, offering, say, a free credit report for visiting the site, prompt the user for his Passport credentials and voila! We have identity theft that can be carried out with middle-school programming experience.

With such fundamental problems, it’s no wonder that momentum is so slow to build.

Tolly is president of The Tolly Group, a strategic consulting and independent testing company in Manasquan, N.J. He can be reached at