Microsoft to open Passport for rivals

Microsoft will alter its Passport authentication system to interoperate with similar services from competing companies.

Microsoft will alter its Passport authentication system to interoperate with similar services from competing companies.

The company has also announced plans to consider handing over management of the system to a "federated" group made up of rivals and corporate partners, as well as Microsoft.

Passport is Microsoft's single sign-on service that enables users to visit Web sites and use password-protected services without having to sign on separately at each site.

Microsoft has pledged to work with corporations to get their internal authentication systems working with Passport.

"It's a way for enterprises to authenticate their users and then have those users trusted beyond the scope of just their business," said Brian Arbogast, vice-president of .Net services at Microsoft. "We never thought of outsourcing Passport previously, but there is tremendous market opportunity."

To allow the single sign-on service to work with competing services and proprietary corporate systems, Microsoft confirmed it will include support for Kerberos in Passport. Kerberos is an open standard for secure digital transactions developed by researchers at Massachusetts Institute of Technology. Adding Kerberos support to Passport would allow it to interoperate with any other authentication service that also uses the technology.

But will any of Microsoft's competitors sign on to the idea? Microsoft says yes, pointing out that Kerberos is an open standard. "This gives us a model where we can interoperate without anyone doing a complete overhaul of their system," Arbogast said.

This interoperability will first be tested when Microsoft releases its Windows .Net Server in early 2002, he said. Kerberos support will be built into the version of Active Directory within the server software, a service that allows users of Microsoft's database software to store identities of business partners and customers. This will allow those users signed on via Active Directory to visit Passport-protected Web sites.

Winning the support of Microsoft's biggest rivals, such as AOL Time Warner, may prove difficult. "I really think that AOL is going to have to be pushed hard to sign on to this," said Chris Le Tocq, an analyst with Guernsey Research who has followed the development of Passport closely.

AOL has said it is working on its own single sign-on service based on technology used in the authentication system for its AOL Internet service. The company is also a strong opponent of Microsoft and has a history of being slow to open up its systems to competitors. AOL is currently under order by federal regulators to make its instant messaging systems work with rival services.

In addition to AOL, the open source community is developing a single sign-on authentication system, and Sun Microsystems has said that it too could build a sign-on service that would compete with Passport.

For its part, Microsoft said opening up Passport through the use of open standards would give rivals and corporate partners control over many aspects of their own authentication systems. In addition, the company said it will consider allowing a neutral third party group, or a federation of companies including itself and industry rivals, to oversee Passport.

"What the federation approach does is provide the capability, through Passport, to make a single administration point for internal and external sites," Le Tocq said.

Microsoft would not commit to the idea of allowing a neutral group to oversee Passport, saying it is looking at other options as well. One such option would see competing authentication systems work like a peer-to-peer network, with each system storing its own users' personal information.

But an independent authority managing millions of user profiles may encourage customers to adopt Passport and relieve fears that Microsoft could control the personal information stored on central servers, or charge for every transaction passing through its system. The move could also relieve privacy critics' fears that Microsoft would use user information to build customer profiles for marketing purposes.

"We think that there's at least an interesting discussion to have in the industry as to whether or not there is a need to have this higher operating authority," Arbogast said.

Besides opening up an opportunity to enlist more subscribers for the Passport service, the announcement signals that Microsoft is giving in to legal pressure from its antitrust case, which continues this month, Le Tocq said.

Microsoft has also been under increasing pressure from consumer and privacy groups to ensure that Passport doesn't limit consumer privacy.

However, Microsoft said legal and industry pressure had not affected the development of Passport. "That's not any guiding force here," Arbogast said.

Microsoft also announced a new name for its set of Web services, previously code-named Hailstorm, that rely on Passport as a central authentication system. Now called .Net My Service, the services allow users to store information centrally on the Web and access that information from a variety of computing devices, including PCs and handheld devices.

Read more on IT legislation and regulation