Passport 2.0 ready for a stamp

Amid ongoing criticism and challenges from privacy groups, Microsoft Corp. is close to printing up a new Passport, the authentication system that is at the centre of its Internet initiative .Net.

The Redmond, Wash., software maker will release this month Passport 2.0, the follow up to the single sign-on authentication service that is at the fore of Microsoft’s set of Web services called Hailstorm, Microsoft said Thursday.

“It will be posting to the Web very soon,” said Tonya Klause, a Microsoft spokeswoman.

The new release comes as privacy and consumer groups protest Passport for what they consider loose efforts to protect the privacy of consumer who use the service. Those groups Wednesday added to a complaint recently filed with the U.S. Federal Trade Commission (FTC) against Passport and its use in Microsoft’s new Windows XP operating system.

As Passport becomes a more integral piece to Microsoft’s .Net initiative, engineers speaking at a developers’ conference here about Passport said the company is working to include a greater level of privacy and security in future releases of the authentication service, including the version due out this month, said Keith Brown, an engineer with DevelopMentor Inc. and columnist for Microsoft’s MSDN developers Web site. Brown presented a session Wednesday on Passport at DevelopMentor’s Conference.Net.

Microsoft has already said it will soon strengthen the level of privacy in the service. The new privacy features, such as the addition of a technology called P3P (Platform for Privacy Preferences), will show up in Passport 2.0.

Brown, and other engineers who work closely with Microsoft’s Hailstorm technology, also said that Passport 2.0 will be followed by a release that is expected to include even more privacy and security. With the release of the next generation of Microsoft’s Web services strategy, still without a due date, Passport will rely on a security technology standard called Kerberos, Klause said.

Microsoft is likely to release Passport Version 2.2 before it comes out with one that includes Kerberos, Klause said.

Kerberos, a standard developed by engineers at the Massachusetts Institute of Technology, is currently under review by the Internet Engineering Task Force, a standards body. Microsoft is expected to use an implementation of Kerberos similar to the one included in the Windows 2000 operating system. It will become the key technology to securely authenticate Passport subscribers who access Web-based services, such as those included in Hailstorm, said David Chappell a technical consultant who authored a white paper on Hailstorm for Microsoft.

While critics of the service say Microsoft’s latest efforts to increase privacy in Passport don’t satisfy their needs, Kerberos would be a welcome addition to Passport, according to Richard Smith, chief technology officer of the Privacy Foundation, an advocacy group involved with the FTC complaint.

“Kerberos is a very good step in the right direction for providing security, which is not privacy necessarily,” Smith said. “(Kerberos) should address a lot of the problems that Passport has from a security standpoint.”

The Passport authentication service allows subscribers to store basic information about themselves, such as an e-mail address or ZIP code. Subscribers of the service can then log on to Web sites that support Passport without having to re-enter their personal information. Microsoft uses the technology with its MSN Internet service and on a variety of its Web properties, including the free e-mail service, Hotmail. Roughly 200 partner sites also support Passport, including and Inc.

Microsoft Canada, in Mississauga, Ont., can be reached at