Gartner issues warning to Passport holders

21 May 2003

Industry analyst Gartner has come down heavily on Microsoft’s Passport authentication system, saying that it can easily be compromised and can’t be trusted.

Gartner advised clients such as financial institutions and other enterprises to replace or augment Passport until at least November 2003.

The advisory relates to an incident earlier this month when Microsoft acknowledged a major security flaw in its Passport internet user authentication service. An independent researcher in Pakistan first identified the flaw. It could theoretically have enabled unauthorised access to any of the more than 200 million Passport accounts used to authenticate email, and e-commerce and other transactions. Microsoft has stated that it has resolved the problem and does not know of any accounts that were breached.

According to Gartner, this security flaw couldn’t have emerged at a worse time for Microsoft Passport, which, it said, has struggled to gain enterprise and consumer acceptance ever since it went live in 1999. Microsoft, it said, failed to thoroughly test Passport’s security architecture, and this flaw, uncovered more than six months after Microsoft added the vulnerable feature to the system, raised serious doubts about the reliability of every Passport identity issued to date.

Gartner said that for this reason it was recommending that financial institutions, credit card issuers, retailers and other enterprises that use Passport for any meaningful business purpose to immediately break all Passport connections until at least November 2003, until Microsoft can prove that its security is adequate. Alternatively it advised investing in an additional, more secure form of authentication for all issued Passport identities. It also advised firms to contact all customers who use Passport and make them aware of Microsoft’s recommendations for Passport account holders.

By Dick O’Brien