|
|
i/s Back Issues
Volume
17
No.
4  March/April
2002
Microsoft .NET Passport and Wallet: Approach with
Caution!
Kerem B. Limon and Paul B. Hill
Microsoft .NET Passport and Wallet are a proprietary pair of tools that
provide single login, authentication, and electronic purchasing services
through participating Web sites and business partners over the Internet.
.NET Passport is the authentication system, and Wallet stores users' personal
and financial data on a Microsoft-owned server. The goal is to create
an account that verifies a user's identity or lets him or her buy products
without needing to
re-enter this information each time.
Passport technology debuted as part of Microsoft's free Web-based email
service, Hotmail, and over time has been integrated into Microsoft's growing
.NET initiative (.NET is a networked and XML-based Web services platform
and its supporting infrastructure.) Several Microsoft products and services
use .NET Passport and it will probably emerge as a central component in
most Microsoft technologies. Besides Hotmail, such products and services
include Windows XP; Microsoft's own ISP, MSN, and its instant messaging
service, MSN Messenger; online developer resources such as Microsoft Developer
Network; and entertainment services like the Microsoft Gaming Zone. Wallet
operates alongside .NET Passport, providing users' payment information
when needed.
Not Used for MIT Services
While the functionality of .NET Passport may resemble some services offered
by IS, none of these use or are interoperable with .NET Passport or Wallet.
IS does not support either of these services from Microsoft.
The IS services that provide similar functionality are for use only with
MIT-affiliated sites and business partners. These systems are typically
not interoperable with non-participating systems outside of MIT or beyond
the academic community at large.
For instance, for authentication via the Web, MIT uses personal Web certificates.
For services that may (also) be accessed directly without a Web interface
using a client program, such as
email or SAP, MIT uses Kerberos technology for authentication. There
is no current analogue of Wallet among services offered by IS.
Concerns
As with any emerging technology, there are issues around .NET Passport
and in particular, Wallet. Some are of concern to the MIT community.
First, there is a concern for the security of the
information provided to Microsoft for a Wallet account. This
may include demographic data about the user, such as age,
date of birth, social security number, address(es), and
phone number(s), as well as sensitive financial information,
such as credit card data. Should this information be
compromised, it could lead to serious abuses ranging from
fraud to identity theft. Various computer security groups
and industry watchdogs have raised red flags about inherent
weaknesses in Wallet technology, and there has been at least
one documented case of (now patched) vulnerabilities that
could allow credit card and demographic data to be stolen.
Secondly, various advocacy groups have raised privacy
concerns about the large amounts of demographic and
financial data gathered by Microsoft through .NET Passport
and Wallet registration and use. Such groups have questioned
the terms of Microsoft's privacy policy and service
descriptions for these systems. Microsoft has made (and may
continue to make) policy changes that may be unacceptable to
some users. Advocacy groups thus continue to monitor and
caution against possible privacy violations.
Finally, there is concern about the proprietary nature of these systems.
.NET Passport and Wallet are not open standards. They do not receive reviews
from people outside of Microsoft; nor are others free to implement alternatives
that use the same protocol. While Microsoft has publicly committed to
opening "some" aspects of the .NET Passport system to review, many remain
skeptical and feel Microsoft does not intend to deliver enough.
Sun Microsystems and America Online have launched their own alternatives,
Liberty Alliance and Magic Carpet, respectively. How these competing technologies
will develop and whether they will become interoperable with .NET Passport
is unclear at this time.
What To Do
Taking into account these concerns about security, privacy, and interoperability,
IS cautions against using Microsoft Wallet, if possible.
Since .NET Passport and Wallet services are not related to or interoperable
with IS services, the impact of abstaining from these should be minimal
on MIT users. There are, however, instances where you may need to obtain
a Wallet (and .NET Passport) account to access services, such as downloads
or purchases from Microsoft Web sites. Given that .NET Passport-dependent
services come integrated into most recent Microsoft products, you are
likely to encounter .NET Passport often and be prompted to create a .NET
Passport and Wallet account. If you have a legitimate need to use these
services, pay attention to the following important considerations:
|
|
Provide only the information needed to access the product
or service you are using. Preferably, limit this information to publicly
available details (such as your name, listed phone numbers, and addresses,
but not your social security number, if possible). Do not provide
financial data, unless needed. For instance, registering for MSN Messenger
should not require payment information as the service is free. |
|
|
Investigate alternatives to Wallet for online transactions.
Most merchants provide an
SSL-encrypted form where you can enter payment information directly.
If possible, check out other merchants who accept alternative purchasing
methods, including MIT's partners that are available through services
like ECAT and SAP, using IS-supported systems. |
|
|
Don't use your Kerberos password for a .NET Passport
or Wallet account. (Your Kerberos password is the password you use
for checking your MIT email or logging into Athena.) While MIT's
authentication mechanisms, when configured properly, guarantee the
security of your password, the same may not be true of .NET Passport
(as in the case of Hotmail logins from certain browsers). More importantly,
should someone be able to access your .NET Passport, they may subsequently
gain access to your MIT identity as well. |
IS will continue to monitor the development of .NET Passport and other
.NET services to assess their impact on the MIT community. For more information,
contact the Software Release Team at <swrt@mit.edu>.
i/s
Home |
i/s
Back Issues |
Volume
17 |
No.
4
|
![[i/s Home]](/is/isnews/pictures/ishome.gif){kind=small}
![[Distribution]](/is/isnews/pictures/distribution.gif){kind=small}
![[Search]](/is/isnews/pictures/search.gif){kind=small}
![[Back Issues]](/is/isnews/pictures/backissues-selected.gif){kind=small}
![[Publications]](/is/isnews/pictures/publications.gif){kind=small}
![[Feedback]](/is/isnews/pictures/feedback.gif){kind=small}