Passport Problems Show Software-Based Security's Fatal Flaw

[InfoSec News <isn () c4i org>]

http://www3.gartner.com/DisplayDocument?doc_cd=102213

Microsoft keeps offering fixes for its troubled Passport
authentication service, but the intrinsic flaws of such software-only
digital wallets still make them unsuitable for sensitive information.
 
-----------------------------------------------------------------
  
Event

Microsoft has acknowledged that it shut down part of its Passport
Internet authentication system for 48 hours beginning 2 November 2001.
Microsoft apparently intended to resolve a security problem related to
cross-site scripting that could enable hackers to access users' credit
card information.

First Take

Passport offers another example of Microsoft releasing software with
major security vulnerabilities that it later attempts to solve with
patches, "hot fixes" and new releases. This approach may reduce the
risk of the original vulnerability but often opens up new security
weaknesses. The latest Passport "fix" reduces the user's window of
vulnerability from 15 minutes after log-in to 30 seconds, but neither
delivers adequate security nor addresses the root cause of the
problem. If Microsoft's planned Passport migration from browser-based
mechanisms to Kerberos operating system-based authentication takes
place, it will eliminate the basis for this weakness by 2003. However,
this approach will not help today's Passport users (according to
Gartner research, 25 million U.S. consumers have signed up with
Passport though only 7 million know it).

The latest vulnerability also shows that software-only solutions
cannot deliver high levels of security for sensitive or otherwise
valuable information. Software-only protection may suffice for
low-value site registration information e.g., name, zip code and
preferences but high-value information requires the use of a smart
card, hardware token or biometric input. Smart cards provide a major
additional benefit besides strong authentication: storage capacity to
keep sensitive information offline.

Gartner's research shows that consumers are already wary of
Passport-type systems; in a recent study, only 2 million U.S. Passport
users reported storing credit card information using the service (see
Research Note M-14-5779 "Microsoft Passport: Build It and They Will
Haltingly Come"). Enterprises should not encourage their customers or
their employees to use software-only systems for storage of sensitive
information before 2005, when vulnerabilities of Passport and
competing systems will be thoroughly exposed and resolved and when
smart cards for home PCs will be readily available. All applications
developed during this period should support migration to smart cards
as soon as feasible, likely after 2005 for consumer applications.

Analytical Sources: John Pescatore, Information Security Strategies,
and Avivah Litan, Financial Services Payment Systems

Written by Terry Allan Hicks, gartner.com

Need to know: Reference Material and Recommended Reading

"Microsoft Passport: Many Registrations, but Few Users (M-14-4839)
Although Microsoft will succeed in building a ubiquitous Passport
registry, the companys ability to earn much revenue from Web services
also known as .NET My Services is far from certain. By Avivah Litan

"Liberty Alliance Seeks to Advance Open Identity Systems (FT-14-5959)
For a discussion of another approach to authentication. By David Smith
and Daryl Plummer
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.