Financial institutions are being advised to restrict their use of Microsoft's Passport for at least six months following the recent discovery of serious security flaws in the online digital identity system.
The recommendation comes from Gartner analysts John Pescatore and Avivah Litan, and follows the discovery earlier this month of a gaping hole in Passport that allowed unauthorised users to usurp Passport identities. Microsoft indicates it has resolved the problem and does not know of any of the 200 million Passport accounts that were breached.
The analysts says that Microsoft failed to thoroughly test Passport's security architecture, and this flaw — uncovered more than six months after Microsoft added the vulnerable feature to the system — raises serious doubts about the reliability of every Passport identity issued to date.
Passport accounts are routinely used for the authentication of users accessing e-mail and e-commerce transactions. Citigroup, for instance, has Passport-enabled some of its online accounts in an effort to streamline customer access to the bank's Internet products through a combination of Citigroup passwords and Passport identities.
Gartner recommends that financial institutions, credit card issuers, retailers and other enterprises that use Passport for any meaningful business purpose immediately: break all Passport connections until at least November 2003, until Microsoft can prove that its security is adequate; or invest in an additional, more secure form of authentication for all issued Passport identities.
Institution's should also contact all customers who use Passport and make them aware of Microsoft's patch.
This discovery deals a major blow to Microsoft and the rival Liberty Alliance, says Gartner, which have not yet succeeded in getting the consumer e-commerce market to accept identity services of this type.
Gartner surveys have shown that consumers and enterprises have already seen more risk than value in Passport and Liberty.
"The serious vulnerability in Passport will likely further delay any meaningful demand for such services until at least 4Q04," say the analysts. "Microsoft can reduce this impact and regain market confidence by submitting Passport's code to a full open-source review."