Amid ongoing criticism and challenges from privacy groups, Microsoft Corp. is close to printing up a new Passport, the authentication system that is at the center of its Internet initiative .Net.
The Redmond, Washington, software maker will release this month Passport 2.0, the follow up to the single sign-on authentication service that is at the fore of Microsoft's set of Web services called Hailstorm, Microsoft said Thursday.
"It will be posting to the Web very soon," said Tonya Klause, a Microsoft spokeswoman.
The new release comes as privacy and consumer groups intensify their protest against Passport for what they consider loose efforts to protect the privacy of consumer who use the service. Those groups Wednesday added to a complaint recently filed with the U.S. Federal Trade Commission (FTC) against Passport and its use in Microsoft's new Windows XP operating system. As Passport becomes a more integral piece to Microsoft's .Net initiative, engineers speaking at a developers' conference here about Passport said the company is working to include a greater level of privacy and security in future releases of the authentication service, including the version due out this month, said Keith Brown, an engineer with DevelopMentor Inc. and columnist for Microsoft's MSDN developers Web site. Brown presented a session Wednesday on Passport at DevelopMentor's Conference.Net.
Microsoft has already said it will soon strengthen the level of privacy in the service. The new privacy features, such as the addition of a technology called P3P (Platform for Privacy Preferences), will show up in Passport 2.0. Brown, and other engineers who work closely with Microsoft's Hailstorm technology, also said that Passport 2.0 will be followed by a release that is expected to include even more privacy and security. With the release of the next generation of Microsoft's Web services strategy, still without a due date, Passport will rely on a security technology standard called Kerberos, Brown said.
Klause noted that the addition of Kerberos "is an option" along with other expanded levels of authentication technology such as smart cards, biometrics and digital certificates. Microsoft is likely to release Passport Version 2.2 before it comes out with a service that includes Kerberos, she said, but Microsoft had nothing specific to announce about future releases.
Kerberos, a standard developed by engineers at the Massachusetts Institute of Technology, is currently under review by the Internet Engineering Task Force, a standards body. Microsoft is expected to use an implementation of Kerberos similar to the one included in the Windows 2000 operating system. It will become the key technology to securely authenticate Passport subscribers who access Web-based services, such as those included in Hailstorm, said David Chappell a technical consultant who authored a white paper on Hailstorm for Microsoft.
While critics of the service say Microsoft's latest efforts to increase privacy in Passport don't satisfy their needs, Kerberos would be a welcome addition to Passport, according to Richard Smith, chief technology officer of the Privacy Foundation, an advocacy group involved with the FTC complaint.
"Kerberos is a very good step in the right direction for providing security, which is not privacy necessarily," Smith said. "(Kerberos) should address a lot of the problems that Passport has from a security standpoint."
The Passport authentication service allows subscribers to store basic information about themselves, such as an e-mail address or ZIP code. Subscribers of the service can then log on to Web sites that support Passport without having to re-enter their personal information. Microsoft uses the technology with its MSN Internet service and on a variety of its Web properties, including the free e-mail service, Hotmail. Roughly 200 partner sites also support Passport, including Starbucks.com and Buy.com Inc.
As the market for providing Web-based services and software develops, control over authentication systems such as Passport is heating up. AOL Time Warner Inc. is working on an alternative single sign-on authentication called "Magic Carpet" that will allow AOL members to easily sign on to member Web sites. Currently in stealth mode, according to an AOL engineer attending Conference.Net, Magic Carpet is an extension of AOL's Screen Name Service.
"Competition would actually help Passport succeed," Chappell said.
Engineers attending Conference.Net expressed interest in adopting Passport and other Hailstorm services, despite questions about security and privacy.
"There is a big need for this," said one engineer from The Goldman Sachs Group Inc. who asked to remain unnamed. "There is a huge market for this in financial services."
Goldman Sachs has built its own authentication system to support services it offers customers across the Internet, such as stock trading, but the engineer attending Wednesday's Passport session said that it doesn't satisfy all of the company's needs. "We're doing as good a job as possible, but it's a tough thing to build," he said.
Microsoft's version may also continue to be bugged with problems, said DevelopMentor's Brown. The addition of Kerberos, P3P and other technologies doesn't address some more simple problems. For instance, someone could effectively create a Web site with a false Passport sign-on logo, and dupe users into typing in their sign-on name and password on that face Web site, Brown said.
"We kind of have to ask ourselves, is the Internet ready for this?" he said. "I don't know."