Bending under the weight of mounting legal and industry criticism, Microsoft Corp. said it will alter its Passport authentication system to interoperate with similar services from competing companies. The company also announced plans to consider handing over management of the system to a "federated" group made up of rivals and corporate partners, as well as Microsoft.
"Enabling multiple service providers to be able to interoperate, we think, is a tremendous opportunity for the industry." said Brian Arbogast, vice president of .Net services at Microsoft. The addition of interoperability to Passport will happen next year, he said.
Passport is Microsoft's single sign-on services that enable users to visit other Web sites and access password-protected services, such as instant messaging and online banking, with having to sign in at those sites. Some Web sites that currently use Passport include Starbucks.com and Microsoft's own MSN Internet sites.
Microsoft also said it will work with corporations to enable their internal authentication system to work with Passport. For instance, employees could sign on to internal Web sites such as those that manage employee benefits.
"It's a way for enterprises to authenticate their users and then have those users trusted beyond the scope of just their business," Arbogast said. "We never thought of outsourcing Passport, previously, but there is tremendous market opportunity."
To allow the single sign-on service to work with competing services from rivals such as AOL Time Warner Inc. and proprietary systems used by corporations, Microsoft confirmed it will include support for a technology called Kerberos in Passport. Kerberos is an open standard for securing digital transactions developed by researchers at Massachusetts Institute of Technology. Adding Kerberos support to Passport would allow it to interoperate with any other authentication service that also uses Kerberos.
But will any of Microsoft's competitors sign on to the idea? Microsoft says yes, noting that Kerberos is an open standard. "This gives us a model where we can interoperate without anyone doing a complete overhaul of their system," Arbogast said.
This interoperability will first be tested when Microsoft releases its Windows .Net Server, due out in early 2002, he said. Kerberos support will be built into the version of Active Directory within the server software, a service that allows users of Microsoft's database software to store identities of business partners and customers. This will allow those users signed on via Active Directory to visit Passport-protected Web sites.
One analyst said winning the support of Microsoft's biggest rivals, such as AOL Time Warner, may be a stretch. "I really think that AOL is going to have to be pushed real hard to sign on to this," said Chris Le Tocq, an analyst with Guernsey Research who has followed the development of Passport closely.
AOL has said it is working on its own single sign-on service based on technology used in the authentication system for its AOL Internet service. The company is also a strong opponent of Microsoft and has a history of being slow to open up its systems to competitors, such as its instant messaging services. AOL is currently under order by federal regulators to make its instant messaging systems work with rival services.
In addition to AOL, the open-source community is working on developing a single sign-on authentication system, and Sun Microsystems Inc. has said that it too could build a sign-on service that would compete with Passport.
For its part, Microsoft said opening up Passport through the use of open standards would give rivals and corporate partners control over many aspects of their own authentication systems. In addition, the company said it will consider allowing a neutral third party group, or a federation of companies that includes itself and industry rivals, to oversee Passport.
"What the federation approach does is provide the capability, through Passport, to make a single administration point for internal and external sites," Le Tocq said.
Microsoft would not commit to the idea of allowing a neutral group to oversee Passport, saying it is looking at other options as well. One such option would see competing authentication systems work like a peer-to-peer network, with each system storing its own users' personal information.
But with an independent authority managing the millions of user profiles, Microsoft could encourage customers to adopt Passport and relieve fears that Microsoft might control the personal information stored on central servers or charge for every transaction that passes through its system. The move could also relieve privacy critics' fears that Microsoft would use user information to build customer profiles for marketing purposes.
"We think that there's at least an interesting discussion to have in the industry as to whether or not there is a need to have this higher operating authority," Arbogast said.
Besides opening up an opportunity to enlist more subscribers for the Passport service, the announcement signals that the software maker is giving into legal pressure from its antitrust case, which continues this month in a U.S. District Court, Le Tocq said. The U.S. Department of Justice, which is a plaintiff in the case along with 18 U.S. state attorneys general, has said in court papers that it will ask the judge to consider issues pertaining to Windows XP when crafting a remedy to impose on Microsoft.
Microsoft has also been under increasing pressure from consumer and privacy groups to ensure that Passport doesn't limit consumer privacy. A collection of advocacy groups filed a complaint with the U.S. Federal Trade Commission in July alleging that Microsoft was using unfair and deceptive trade practices to influence customer to sign up for a Passport and divulge personal information. The Center for Democracy and Technology has also been in ongoing discussions with Microsoft on the issue.
However, Microsoft said legal and industry pressure had not affected the development of Passport. "That's not any guiding force here," Arbogast said.
Microsoft also announced Wednesday a new moniker for its set of Web services, previously code-named Hailstorm, which rely on Passport as a central authentication system. Now called .Net My Service, the set of services allows users to store information centrally on the Web and access that information from a variety of computing devices, including PCs and handheld devices.
Microsoft, in Redmond, Washington, can be reached at +1-425-882-8080, or online at http://www.microsoft.com/.