REDMOND, Wash., Sept. 20, 2001 — Secure and widely available authentication services are critical to the growth of Web services, but todays solutions still require users to maintain several different “identities” for many sites and services. Businesses require their employees to log into their networks and internal Web sites, while Web-based services such as e-mail and instant message require users to sign in with another username and password.
To help make “single sign-in” a reality, Microsoft today proposed a “federated” model for Internet authentication and started work on making Passport — the worlds largest Web authentication system — open to federation with currently incompatible systems, and supporting the Kerberos 5.0 technical standard for authentication. The goal of this approach is to build an Internet “trust network,” where a single, common authentication system to be used across enterprise systems, Web sites and services.
Just as the banking industry cooperated to build an international network of Automated Teller Machines that customers can access virtually anywhere with one card, regardless of their personal bank, Microsoft’s proposal breaks down current technical barriers to a trusted, interoperable authentication across the Internet.
To elaborate on this enhancement to Passport and the proposed creation of an Internet trust network, how it will work and how widely it would benefit consumers, businesses and the technology industry, PressPass spoke with Christopher Payne, Microsoft vice president of the .NET Core Services Platform.
Christopher Payne, Microsoft vice president of the .NET Core Services Platform
PressPass: What is federation, and how will it benefit the industry?
Payne: Federation, in this sense, is a technology industry term, and it’s really quite simple. Federation allows businesses of any size, or any other organization, to maintain the control of their local resources while still being able to interact with people, organizations and software that are not under their direct control. The organizations that control a federated service interact across their normal organizational boundaries. Think of your ATM bank card. Your individual bank is part of a larger ATM service-based network built on a common operating agreement among the various member banks. Within this broad network, you can use your individual ATM card at any one of thousands of ATM machines, regardless of where theyre located or whether you even have an account with that particular bank. On the Web, customers will have a similarly seamless experience. They won’t have to remember different sign-in names and passwords as they “travel” about the Internet.
The creation of a secure and interoperable trusted network will provide increased choice, more control and greater convenience for large companies seeking to provide authentication services as well as their employees. From a broader industry perspective, such a network of trusted and secure authentication will also help build the foundation for widespread adoption of Web services. Passport provides the enabling technology for richer, more secure, and more private user experiences on the Web, and that, in turn, will create new business opportunities for partners who build Web services on this platform. Microsoft will enable these capabilities with updates to our Passport service in 2002 and with the release of the Windows.NET Server operating system in the first half of 2002.
PressPass : Who will benefit from federating Passport?
Payne : Four different kinds of people or businesses will benefit greatly:
Businesses reap a common user experience, spanning internal and external authentication systems. They also gain more control of sensitive internal data, and will have the freedom to invite trusted partners and customers to make use of their Web services.
Individual users or employees of these businesses, for example, will enjoy a convenient, secure single sign-in experience spanning from within their corporate network to across the broader Internet. It also provides users with more choices in selecting who gets to steward their personal data.
Internet service operators and large web site operators will obtain a common user experience spanning internal and external authentication systems
Developers could start building integrated solutions using a common authentication model, freeing them to focus their efforts on creating rich, new Web services.
PressPass: Won’t Microsoft somehow still “own” some of the data?
Payne : No. Microsoft does not own any of the data. The data always remains with the user who has the ability now to store that data with the participating Internet trust network provider — such as their own company or a site operator of their choosing. And in the same way that Microsoft and its Passport service today adheres to highest bar with respect to protecting the users data through stringent, third-party endorsed privacy guidelines, so too would the participants of this universal authentication network.
Microsofts vision is that authentication services need to be as ubiquitous on the Internet as the Domain Name Service (DNS) that assigns and manages Internet addresses and domain names. For that to happen, no one single company can “own” authentication services.
Federation is the mechanism for how we will ensure that other authentication systems based on Kerberos, an open Internet standard, interoperate with each other in a way that is trusted and secure for the user. It is about providing an enabling technology that lays the foundation for massive adoption of XML Web services, which will recharge the high-tech industry with new business opportunities and let consumers take advantage of these convenient new services.
PressPass: How widely does Microsoft expect this federation to be adopted?
Payne : We strongly believe that a universal authentication model is extremely valuable to virtually every business. Over time we expect that this interoperability will become as important and ubiquitous as interoperability of e-mail is today. So, I guess you could say we expect adoption to be very strong. Large business and corporations are especially interested in ways in which they can unite their divergent worlds of authentication within their own companys networks. They also want to enabling users navigate inside the company’s firewall with just one authentication and a single sign-in. Or when they need to visit the site or services of a trusted, third-party vendor, supplier or customer. For instance, imagine how easy an employee will find it to have just one password and ID that they can use securely when visiting their company’s HR benefits page, then leave the internal site to visit their company’s travel-services site — even though that site is run by an external vendor.
PressPass: How will you measure the success of this effort? What is the first milestone and when do you anticipate you will reach it?
Payne : Our strategy since Passport was introduced in 1999 has been to build a platform service that partners can rely on for secure authentication and the single sign-in capability that their customers value. This announcement enhances the reach of Passport into the enterprise and thus extends this same value to more users and more partners. We will continue to measure our success based on the number of users and partners that benefit from participating in this network of trust. The first milestone will be updating the Passport service with support for Kerberos, which will happen in calendar 2002 and will enable interoperability with other authentication systems.
PressPass: What criteria should users consider when deciding whom to trust with their data?
Payne: Enterprise customers already trust their IT departments with their business data. For these corporations, federating Passport is the ideal solution. Consumers and small businesses should look for mature, stable companies that have been operating high-scale services for some time. Many consumers already have trusted relationships with Internet service providers who supply them with e-mail and Internet access. For these service operators, federating Passport is also the ideal solution.
PressPass: What if companies who compete with Microsoft wanted to interoperate with Passport – would you support this?
Payne: Of course. All they would need to do is support the Kerberos 5.0 standard, and we would work with them on their certification for Passport.
PressPass: If this is an open platform, will it run on non-Windows platforms?
Payne: Absolutely. Kerberos is an open standard for which there are implementations on every major platform, including Solaris, HP-UX, AIX, Linux, Macintosh, and Windows. Information on the Kerberos standard can be found at http://www.ietf.org/html.charters/krb-wg-charter.html . MITs reference implementations for Kerberos on many platforms can be found at http://web.mit.edu/kerberos/www/ . Commercial implementations of Kerberos on various platforms can be obtained from a variety of vendors, including CyberSafe Corporation, Cygnus, OpenVision, Open Horizon, Cisco Systems, and Xylogics (part of Bay Networks).
PressPass: How will you maintain the strong privacy policies around Passport when third parties federate this?
Payne: Enterprise federation partners will have control over the privacy policies for their employees, just as their IT departments do today. Consumer federation partners will be required to meet the same high bar on privacy that weve set for Microsofts own Passport service. If adherence and enforcement of strong privacy policies are not met, then we will work with the provider to try and fix this problem immediately or we will “turn them off” and continue to work to resolve the issue.
PressPass: Does this mean .NET My Services will support multiple authentication engines, as long as they are federated with Passport?
Payne: Yes. .NET My Services is the new name for the set of Web services that Microsoft previously referred to by the codename “HailStorm.” Federation of Passport will provide one common authentication system that could be utilized by all the partners and developers who build on those services. As I mentioned earlier, this effort will help build the foundation for widespread adoption of Web services, based on open standards.
PressPass: Are other authentication vendors likely to be impacted by this strategy?
Payne: We believe that federation of Passport will create new opportunities for authentication vendors to build their businesses. Microsoft is supporting enterprise adoption of Passport in an effort to help build the foundation for widespread adoption of Web services. In addition, it allows enterprises to maintain control over their local resources while still being able to interact with people, organizations and software that they dont control. And by federating Passport, developers can build integrated solutions using a common authentication model for both Internet and intranet solutions.