Last week, I wrote about the emerging battle between the followers of Microsoft® Passport and the supporters of the Liberty Alliance Project for the hearts and minds of developers and users of Internet authentication schemes. Both groups agree that, in order to take the Internet to the next level of productivity and usefulness, there should be an industry standard way of securely identifying users to services over the World Wide Web. What they disagree about is whose technology should be at the heart of the authentication scheme.
At this time, Microsoft Passport has the advantage, largely because it already exists and is used by millions of people worldwide (primarily users of Microsoft's Hotmail e-mail system). However, the Liberty Alliance Project is aimed at developing a more agnostic approach - one that is not intimately tied to proprietary software from one vendor.
Since there's really nothing yet to look at from the Liberty Alliance Project, let's have a look at the public debate of Passport. As with most Microsoft efforts, there are plenty of opinions on each side of the story.
According to Microsoft, " .Net Passport is a suite of e-business services that makes using the Web and purchasing goods and services online easier, faster and more secure for its members. " The suite " provides its members with the Microsoft .Net Passport Single Sign In and Microsoft .Net Passport Express Purchase services at participating sites. " There's also a service called Kids .Net Passport that's part of the Single Sign In service, designed to protect children's privacy rights.
For consumers, Microsoft touts the following benefits: fast sign in and purchasing, easier online experiences across multiple devices, and security and privacy. For businesses whose Web sites use Passport services, the purported benefits include streamlined sign-in and registration processes for a large member base; high quality, more secure online experience; increased customer acquisition and retention rates; extensive customization; easy implementation; and, attraction and retention of young visitors.
Wow, sounds great. As great as sliced bread, perhaps.
While .Net and Passport are still at the very early stages of adoption, there are a few experienced implementers and success stories to point to. Along with Microsoft-owned properties such as MSN and Hotmail, eBay and Starbucks also have bought into the strategy for authenticating users to their Web sites, and more proponents have implementations underway. In another six months or so, we should have a number of good case studies to review and learn from.
As with any new complex technology, Passport is not without its detractors, including those who discover its " undocumented features " . For example, in early November, a Seattle programmer discovered a " vulnerability " in Passport that allowed him to look at personal information submitted by subscribers to the Hotmail e-mail service. Software engineer Marc Slemko has documented his discovery, as well as what he sees as other shortcomings of Passport, on his Web site at alive.znep.com/~marcs/passport/
For its part, Microsoft looks at the reports of vulnerabilities and takes steps to verify and fix the issues, according to a product manager on Microsoft's .Net team. That's as it should be.
Technical vulnerabilities aside, several privacy advocates are against the concept of sharing identity information over the Internet for fear of loss of privacy. A loose affiliation of 14 groups asked the Federal Trade Commission to require changes to Microsoft's latest desktop operating system, Windows XP, over concerns that the online authentication system, among other things, does not comply with the Children's Online Privacy Protection Act. Some analysts believe, however, that the issue isn't so much with Microsoft® Passport as it is with any online system that collects and shares identity information.
Since Microsoft® Passport is the best option we have today for worldwide authentication on the Internet, your company may find it worthwhile to launch a pilot project to test the waters. Even if you decide you'd rather cast your fate with the Liberty Alliance Project, it's worth dabbling with Passport now to gain experience that can be transferred to other projects in the future. While the debate of Passport versus Liberty Alliance muddies the user identity waters, one thing is clear: for us to take the Internet to the next level, widespread adoption of user authentication processes is a must.
RELATED LINKS
Linda Musthaler is vice president of Currid & Company, a Houston-based information technology assessment company. You can reach her by e-mail at linda@currid.com.
Technology Executive archive
Past newsletters.
