Security Flaw Shows Microsoft Passport Identities Can't Be Trusted - Avoid Until At Least Nov. 2003

Gartner News ^ | May 15, 2003 | Terry Allan Hicks

[Timesink]

Security Flaw Shows Microsoft Passport Identities Can't Be Trusted

15 May 2003

John Pescatore | Avivah Litan

A serious security flaw shows that Microsoft Passport identities could be easily compromised. Financial institutions and other enterprises should replace or augment Passport until at least November 2003.

---

Event

On 8 May 2003, Microsoft acknowledged a major security flaw in its Passport Internet user-authentication service. An independent researcher in Pakistan first identified the flaw. It could theoretically have enabled unauthorized access to any of the more than 200 million Passport accounts used to authenticate e-mail, and e-commerce and other transactions. Microsoft indicates it has resolved the problem and does not know of any accounts that were breached.

First Take

This huge security flaw couldn't have emerged at a worse time for Microsoft Passport, which has struggled to gain enterprise and consumer acceptance ever since it went live in 1999. Microsoft failed to thoroughly test Passport's security architecture, and this flaw — uncovered more than six months after Microsoft added the vulnerable feature to the system — raises serious doubts about the reliability of every Passport identity issued to date.

Whether any attackers exploited this flaw before Microsoft patched the problem is important to enterprises that depend on Passport identities, but it doesn't affect the actions they must take to limit the damage. As with any piece of software with serious security flaws, more vulnerabilities will likely surface in Passport. For this reason, Gartner recommends that financial institutions, credit card issuers, retailers and other enterprises that use Passport for any meaningful business purpose immediately:

• Break all Passport connections until at least November 2003, until Microsoft can prove that its security is adequate. Or invest in an additional, more secure form of authentication for all issued Passport identities.
• Contact all customers who use Passport and make them aware of Microsoft's recommendations for Passport account holders (see www.microsoft.com/security/passport_issue.asp).

Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers.

This discovery deals a major blow to Microsoft and the Liberty Alliance, which have not yet succeeded in getting the consumer e-commerce market to accept identity services of this type. Gartner surveys have shown that consumers and enterprises have already seen more risk than value in Passport and Liberty. The serious vulnerability in Passport will likely further delay any meaningful demand for such services until at least 4Q04. Microsoft can reduce this impact and regain market confidence by submitting Passport's code to a full open-source review.

Analytical Sources: John Pescatore and Avivah Litan, Gartner Research

Written by Terry Allan Hicks, Gartner News

Recommended Reading and Related Research

• "Privacy and Security Still Challenge Microsoft Passport" — Consumer distrust prevents widespread acceptance of Passport. By John Pescatore, David Smith and Avivah Litan
• "Microsoft Passport: Many Registrations, but Few Users" — Gartner research shows that real-world use of Passport will remain very limited through 2003. By Avivah Litan

(You may need to sign in or be a Gartner client to access all of this content.)

[Timesink]

bump for bump lists

[zeugma]

If I remember correctly Bruce Schneier at Counterpane has written about other fundamental problems with passport. It is apparently broken no matter what microsoft does, short of a complete re-design.

Anyone who trusts microsoft's security gets what they deserve, and deserves what they get.

[Dominic Harr]

Anyone who trusts microsoft's security gets what they deserve, and deserves what they get.

A "bears repeating" bump.

[Paul_B]

My own policy: avoid permanently.

MS has a lousy security record, and is basically too doggone big.

[upchuck]

My thought exactly. I am convinced M$FT resists implementing QC procedures. Probably because proper QC can delay a product's introduction.

"I know, I know. Just skip the rigorous QC for now. Give it quick once-over. We gotta get this thing out the door or there's gonna be hell to pay. Don't worry, we'll do the QC later and stick it in version x.1"

I'd bet a dollar statements like this are made around M$FT on a regular basis.

They do not, much to their detriment, realize that QC is not a "separate" process; rather it must parallel the development process from the beginning.
</end rant>

[Reaganwuzthebest]

A serious security flaw shows that Microsoft Passport identities could be easily compromised.

Microsoft will have a solution for all these security flaws soon. All we'll have to do is go out and buy brand new computers with their new OS Palladium installed on it. It will phone home regularly to the fatherland in Redmond to make sure everything's okie dokie.

Big brother to the rescue.

[Paul_B]

And if they make their product too good - like, say, a word processor that can handle numbered paragraphs - no one would ever upgrade, eh?

One of the problems of lack of competition.

Regards,

[TechJunkYard]

Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers.

Yeah, like that's gonna happen.

Microsoft can reduce this impact and regain market confidence by submitting Passport's code to a full open-source review.

What have these folks been smoking? Microsoft will make the reviewers sign NDAs so they can't even talk amongst themselves and do a proper review. MS doesn't want to know about their flaws; they just want to continue to dominate the market.

If MS had been paying attention, they would have picked up on the Passport thing soon after April 12th, when the researcher first tried to contact them. But nooooobody at MS knew a thing about it until he finally posted it to the Full-Disclosure list out of desperation.

Remember back in February (the shortest month of the year, BTW) 2002, when MS took a whole month off to train their folks and review all of their code? Does anyone really think that it could all be done in a single month? Does anyone else have a strange suspicion that it was all for PR?