Microsoft shifts tactics for security on Internet
A network of "federated" identity-management systems instead of the centralized Passport product seems to be gaining interest among Microsoft customers and partners.
Seattle Times technology reporter
Microsoft appears to have fumbled its plan to make its Passport system the Internet's turnstile, but don't write off the company just yet.
Microsoft had bold ambitions for Passport, the free virtual-identity card it has issued to users of MSN, Hotmail and other company Web sites for six years.
"It's our goal to have virtually everybody who uses the Internet have one of these Passport connections," Chairman Bill Gates said in March 2001.
Passport lets users register their personal information once. Then they can quickly log into participating Web sites without entering the information again and signing up for a new password. If everyone had a Passport, Microsoft's monopoly could extend from the PC to the Web.
Other companies, however, weren't comfortable giving that much authority to Microsoft, which keeps the Passport data in its servers. The company stopped pitching Passport to other companies as an identity management solution about two years ago and eBay, the biggest user, dropped it in December. Now Passport is used mostly by Microsoft's own sites.
But the company took the feedback it heard along the way, refocused its strategy and developed a line of products that will give Microsoft a large but indirect role in managing online identities. The new products are largely tools that help other companies manage their own collections of digital identities.
Gates may outline some of this new approach tomorrow during a keynote speech at the RSA security conference in San Francisco, the tech industry's biggest security event of the year.
Microsoft declined to preview his speech but the company has been giving software developers a peek at some of its new identity-management technology, including new servers for managing user identities and a super-secure version of Passport that could appear in the next version of Windows.
Working with IBM, SunOne of the products coming this year shows just how far Microsoft has moved from its original Passport vision. Active Directory Federation Services (ADFS), a product to help companies share their collections of digital identities across the Internet, is included in an updated version of Windows Server 2003 appearing in the second half of this year.
An early challenge to Passport came from a coalition of competitors and corporations that advocated for a network of "federated" identity-management systems that worked together, on different software platforms, rather than a large system managed by a single company such as Microsoft.
Microsoft has since embraced the federated approach and is working with IBM on one of two leading standards. It's also working with Sun Microsystems, one of Passport's biggest critics, to make their platforms work better together.
"I think the monolithic, centralized approach that Passport epitomized has given way to a more loosely coupled, federated approach," said Gerry Gebel, an analyst with the Burton Group in Salt Lake City.
A turning point for Microsoft came two years ago when it embraced the federated approach with an initiative known as TrustBridge. The goal was to make its identity-management systems work between companies, as well as within a corporate network, and ADFS is the first product to result.
"The idea was to enable organizations to project or federate their identities with other organizations," said Michael Stephenson, a Windows server director who heads the identity-management business.
Microsoft has a dominant share of the corporate identity-management market, with 70 percent of U.S. enterprises using its directory product to manage worker passwords and network access rights. But they want their identity systems to work better with the systems used by their customers and partners.
"With more and more companies wanting to do business over the Internet, this was a logical step to take," Stephenson said.
Another shift was Microsoft's realization that its software had to do a better job working with competitors, since corporate customers are likely to be using a mix of different products, said Jackson Shaw, a former Windows manager who left to join Vintela, a Utah company that makes an identity-management product that runs on both Windows and Linux.
"As time moves on, it's pretty evident that this whole heterogeneous environment that everybody lives in will continue," Shaw said. "I think that Microsoft is recognizing from the perspective of playing in a heterogeneous environment, it has to do a better job there."
The Burton Group's Gebel said federated systems will reduce the number of passwords people have to remember, but it may take three to five years for them to notice, because so far only about 300 federated systems have been deployed.
The idea is that because the systems follow the same standards, they would share identity and access privileges. For instance, a travel agent could query flight schedules at different airlines without logging into each one; the airlines' networks would recognize the travel agent's credentials and automatically grant access to the schedules but not other parts of their network.
Regulatory pressuresIdentity-management approaches have been discussed for years, but they're hot topics again because of new regulations, such as federal medical privacy rules and the Sarbanes-Oxley Act, which require companies to better control and track who has access to different types of information on their networks, Gebel said.
For consumers, Microsoft has floated a more secure identity card that could replace Passport. It would also include digital-rights management technology to prevent unauthorized copying and playing of digital music and movies.
Working with Intel and other hardware makers, Microsoft developed a "black box" system that can bind a user's identity with a special chip and software set that's unique to each machine. Microsoft demonstrated a prototype Longhorn identity system using this technology at a developer conference in late 2003.
Instead of Passport, the system used "iCards" containing a user's personal information. The cards were linked to the unique codes in the hardware-software set, according to a paper on the system published at Intel's software developer library.
"If they can get it implemented correctly — and make it simple for consumers — I think it really would be a killer app," said Michael Cassens, a Missoula, Mont., software developer and consultant who attended the 2003 presentation and wrote the paper posted by Intel.
A similar approach is also used in a digital-content protection system for which Microsoft received a patent for last September. The system creates "passports" tied to the black box on a machine. If someone tried to download and play a song or movie, the system would first check the hardware unit to see if the user had paid for it or otherwise received authorization.
But Cassens and others said Microsoft will again have to overcome concerns about giving Microsoft or any company too much control over systems and personal information.
Security consultant Bruce Schneier said the digital-rights management system, which was originally code-named Palladium, won't fly because it gives companies too much control over people's computers.
"It's being sold as user security, but it isn't," he said. "It's not about your security; Palladium is about Sony and Disney and all their security. I think it's not designed to help us, its designed to help them."
Patent's messageMicrosoft's patent application said basically the same thing.
"Since copy protection benefits the owners of copyrights and inconveniences the consumer of copyrighted works, a disincentive to sharing one's password is included in the user-bound passport," it says, saying the passport may include credit-card information the user is unlikely to share.
To overcome objections to Palladium, Microsoft may take another approach with Longhorn, said John Pescatore, a Gartner security analyst. He expects Longhorn, the next version of Microsoft Windows that's going on sale in 2006, may be partitioned so that it can run in different configurations, with different levels of security.
Companies could require workers to connect to their networks in a secure mode that uses the Palladium components. But users could also switch to an unprotected mode where they could run a media player that doesn't have a digital-rights management (DRM) system, Pescatore said.
"It would still fit the DRM strategy, but the good thing about it is the users would always have the option to say I could have a totally open, virtual computer here."
Brier Dudley: 206-515-5687 or email@example.com