DOC

MS Passport white paper

By Doris Dunn,2014-02-06 22:05
11 views 0
MS Passport white paperMS,Ms,White,Paper,white,paper

    Microsoft .NET Passport

    Technical Overview

    September 2001

    Abstract

    ?This document provides a technical overview of the Microsoft .NET Passport service.

    Microsoft Passport Technical Overview

    The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, IN THIS DOCUMENT.

    ? 1999-2001 Microsoft Corporation. All rights reserved.

    Microsoft, MSN, Hotmail, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    Other company and product names mentioned herein may be the trademarks of their respective owners.

    Microsoft Passport ii

    Microsoft Passport Technical Overview

    Contents

    Introduction ................................................................................................. 1 How .NET Passport Works ............................................................................ 2

    .NET Passport Account ................................................................................. 2

    .NET Passport Account Creation and Sharing Options .................................. 3

    Microsoft .NET Passport Single Sign-In ........................................................... 7

    Standard Sign-In ................................................................................... 8

    Secure Channel Sign-In ........................................................................ 14

    Strong Credential Sign-In ...................................................................... 15

    Microsoft .NET Passport Express Purchase .................................................... 17

    The Kids .NET Passport Service ................................................................... 18

    .NET Passport and Mobile Devices ............................................................... 18

    PocketPC and Stinger Phones ................................................................. 19

    Mobile Phones ...................................................................................... 20

    .NET Passport and Windows XP ................................................................... 22 .NET Passport Benefits ............................................................................... 24

    For Users ................................................................................................. 24

    For Businesses .......................................................................................... 25 Implementing .NET Passport ...................................................................... 25 Appendix: Glossary of Technology Terms ................................................... 26

    Microsoft Passport iii

    Microsoft Passport Technical Overview

    Introduction

    ?Microsoft .NET Passport is an online service providing a common Internet authentication across Web sites. By creating a .NET Passport account, users can move easily among participating sites without the need to remember a specific set of credentials for each of them. This means that users need only one sign-in name and password for all participating sites and that the users' credentials are stored in a unique secure place.

    Sites become participating .NET Passport sites by implementing the .NET Passport authentication service called the .NET Passport single sign-in (SSI). Participating .NET Passport sites rely on .NET Passport to authenticate users and save time and money by relieving of the need to build, host and maintain their own proprietary authentication system. Developers can concentrate instead on their sites' own value-added features. However, .NET Passport does not authorize or deny a specific user's access to individual participating sites. Web sites that implement .NET Passport maintain control over permissions.

    In their .NET Passport Profile, .NET Passport users can also store additional optional information such as demographic or preference data (for example, gender, occupation, ZIP code, or language preference) or their first and last names in their .NET Passport account. Depending on their choices, users can share part of this profile information with participating sites during the authentication process. In addition, .NET Passport users can also store credit cards and addresses in their .NET Passport wallet and make quick, secure purchases online through the .NET Passport express purchase service.

    .NET Passport was initially released in 1999 and is the most widely used service of its kind, with more than 165 million accounts as of July 2001. Microsoft entrusts its own online properties to .NET Passport for authentication, as do a fast growing number of Web sites and services.

    A .NET Passport goal is to provide the best Internet-wide user authentication systema system that provides an optimal balance of security, privacy, flexibility, and usability.

    Because trust is a central issue for users and participating sites, a key factor in .NET Passport success lies in ensuring the highest possible levels of security and privacy. Because .NET Passport uses an elaborate authentication model, users can visit participating sites without sharing their credentials (such as their e-mail name, phone number, or password) or personal data.

    In addition to the standard sign in, participating sites can request two security levels, secure channel sign-in and strong credential sign-in, to get the most secure and flexible authentication available on the Internet today.

    Maintaining online privacy and security require reliable technology, all-inclusive policies, and user responsibility. To ensure privacy and the protection of personal information, Microsoft is committed to following the strongest recommendations and industry standards and to expanding users' control over their information and other parties' access to it.

    Finally, no amount of technical security can prevent a user from writing a password on a scrap of paper and keeping it under the keyboard or on the monitor. That is why .NET Passport aims not only to provide the best technology but also to educate users on good practices.

    Microsoft Passport 1

    Microsoft Passport Technical Overview

    .NET Passport’s authentication features also make it a foundation service of the emerging Microsoft .NET platform. Identifying and authenticating users as unique in order to connect them securely to their information and Web services and allow different online sites and services to collaborate on the user's behalf, anywhere, using any Web device, is fundamental to the .NET goal of secure, distributed computing between the Internet and client environments. .NET Passport .NET Passport and .NET will help users unlock the Internet's full potential by enabling them to control their information and personalize their Web experience to an extent never before possible.

    This document describes the current version of .NET Passport.

    How .NET Passport Works

    .NET Passport supports authentication across multiple sites and services by hosting a secure central database that contains users' authentication credential, an associated unique identifier called the .NET Passport Unique ID (PUID), and the registration and sign-in/sign-out pages, which participating .NET Passport sites can cobrand. When users sign in to a site, they are redirected to a secure .NET Passport Login server. .NET Passport first verifies that the site requesting the authentication is a valid participating site. Then it displays a page that asks users for their credentials. When .NET Passport verifies that this credential corresponds to a valid .NET Passport user, the user is authenticated. The user's PUID is sent to the site in a ticket encrypted using a key specific to the site. The .NET Passport password is never sent to participating sites.

    When the site receives the encrypted ticket, it decrypts it using its private key, it extracts the PUID, and the user is authenticated against this site. The site can then use this PUID as a key to access other information it can gather from the user. At this point, the site’s privacy policy controls data usage. The site can then deliver personalized content or services.

    The following section describes what a .NET Passport account is and how users can create one. Then it details how this account is used during the single sign-in authentication process.

    .NET Passport Account

    A .NET Passport user account is made of four parts:

    ; The .NET Passport Unique Identifier (PUID) is assigned by the .NET Passport

    service during the .NET Passport account creation. The PUID is a 64-bit numeric

    value.

    ; The .NET Passport User Profile contains:

    ; The .NET Passport user's e-mail address or phone number. This is the only

    required profile information needed to sign up for a .NET Passport account at

    www.passport.com.

    ; The .NET Passport user's first and last names (optional).

    ; The .NET Passport user's demographic information such as postal code,

    country, and state or region (optional).

    ; The .NET Passport Credential contains:

    Microsoft Passport 2

    Microsoft Passport Technical Overview

    ; The Standard .NET Passport Credential. The user's e-mail address or

    phone number, which is stored in the .NET Passport user profile, and a

    password (or PIN) of at least six characters. An optional secret question and

    answer is used to reset the password. The standard credential is the minimum

    requirements needed to have a .NET Passport account and to use the .NET

    Passport authentication service.

    ; An additional four-digit security key. This key is used when the user

    accesses sites requiring a strong credential sign-in. When created, the

    security key requires three associated secret questions and answers to reset

    it. The security key is created the first time the user access a site requiring

    strong credential authentication. (For more information, see "Strong

    Credential Sign-In" later in this paper.)

    ; The optional .NET Passport wallet used by .NET Passport express purchase

    contains:

    ; The user's credit card numbers and the associated expiration dates, billing

    address, and friendly names.

    ; The user's shipping addresses and associated friendly names.

    To operate the .NET Passport service, .NET Passport also stores some operational data about the user account. This includes the version number, whether the account contains a .NET Passport wallet, and so on.

    .NET Passport Account Creation and Sharing Options

    Users create their .NET Passport account the first time they register for a .NET Passport. There are several ways to register:

    ?; By opening an e-mail account on MSN Hotmail.com or MSN.com. These

    accounts are automatically registered as .NET Passports.

    ; By registering at a Web site that uses .NET Passport single sign-in, referred to in

    this paper as a "participating site." Participating sites automatically redirect users

    to a cobranded, centrally hosted .NET Passport registration page. ; By registering directly at http://www.Passport.com/. ? ?; By using the MicrosoftWindows XP Registration Wizard.

    By registering for a .NET Passport, the user creates unique online authentication credentials valid at any .NET Passport single sign-in site. This credential is linked to a .NET Passport Unique Identifier (PUID) assigned by the .NET Passport service. The amount of information the user is asked for to sign up for a .NET Passport depends on the site where the user registers. For example, users registering at the .NET Passport site (http://www.passport.com/) are asked only for their e-mail address and password.

    The minimum information needed is an e-mail address and a password (or phone number and PIN). If the participating site asks for additional non-.NET Passport information, this icon () indicates the information that will be stored in the users' .NET Passport accounts. Information typed in fields not followed by this icon is not stored in the users' .NET Passport account.

    During .NET Passport creation, users have the following choices regarding the information they want to share with Web sites during subsequent sign-ins: ; Whether to share their e-mail address.

    Microsoft Passport 3

    Microsoft Passport Technical Overview

    ; Whether to share their first and last names. This option is available only if the

    first and last names are asked for during registration.

    ; Whether to share all other .NET Passport profile information. This option is

    available only if additional profile information is asked for during registration. The site users register from can store all of the information the site required during .NET Passport registration. Other participating .NET Passport sites receive only the information users have decided to share. For example, users can decide not to share their e-mail address and their user profile information. In this case, when the users are authenticated, the participating Web sites receive only the users' PUID and certain operational data.

    ??For legacy technical reasons, e-mail addresses associated with Microsoft Hotmail,

    such as “@hotmail.com” and “@msn.com,” are an exception and users' profile information stored in Hotmail-operated accounts is always shared with MSN sites when users sign in to those sites. This exception will disappear next year. When registering from the .NET Passport site or when accessing the Member Services pages, users have the option of creating a .NET Passport wallet to store credit card information and billing and shipping addresses. Wallet information is shared only when users use .NET Passport express purchase, described later in this paper.

    At the end of the .NET Passport account creation, the .NET Passport service starts a process to validate the e-mail address typed during registration. This process sends a message containing a URL to the e-mail address. By clicking this URL, users are redirected to a .NET Passport page where they can validate their e-mail address. This process ensures that the .NET Passport holder owns this .NET Passport e-mail address, and that the .NET Passport service flags this .NET Passport account as having a valid e-mail address. A .NET Passport is still usable even if the e-mail address is not validated, but in the near future .NET Passport will enable users to reclaim a .NET Passport if they own an e-mail address that has previously been registered as a .NET Passport.

    The following table exhaustively lists all the information a user can enter in a .NET Passport account. It also details the information required to create a .NET Passport when registering at the .NET Passport site (http://www.passport.com) and what profile information is shared at sign-in by default.

    Microsoft Passport 4

    Microsoft Passport Technical Overview

    .NET Passport account data Required Shared

    during during

    registration sign-in

    PUID .NET Passport Unique ID .NET Passport-Yes

    defined

    User User’s e-mail address or phone Yes User-

    profile number defined;

    default=No First and last names No User-

    defined; Country/region, postal code, and state default=No Time zone, preferred language,

    gender, accessibility, occupation

    Full birth date, birth year or age

    indication (age >= 18, age < 18, age < 13, 13 <= age < 18)

    Credentials Standard User’s e-mail address Yes User-

    from user profile defined;

    default=No

    .NET Passport or PIN of at Yes No; never

    least six characters shared

    Secret question and No No; never

    answer shared Strong Four-digit security key No No; never (optional) shared

    Three secret questions No No; never

    and answers shared

    Wallet Card type, card numbers, name on No No; shared card and associated expiration dates, only when billing addresses (first and last names, using .NET address, city, state, Passport state/region/province, postal code, express phone, e-mail) and associated friendly purchase names (or description)

    Shipping addresses (first and last names, address, city,

    state/region/province, postal code, phone, e-mail) and associated friendly names (or description)

    Microsoft Passport 5

    Microsoft Passport Technical Overview

    The following figure shows the registration form presented to users at the .NET Passport site (http://www.passport.com).

Figure 1 Registration Form on www.passport.com

    Microsoft Passport 6

    Microsoft Passport Technical Overview

    Microsoft .NET Passport Single Sign-In

    Many authentication methods used by Web sites today do not use advanced security technology. This makes it easier for unauthorized people to gain access to personal information. To counteract this, .NET Passport uses secure communication protocol and powerful Internet security technologies, as described below, to prevent unauthorized access.

    Designing an authentication system that provides an optimal balance of security, flexibility, and usability means dealing with multiple contradictory constraints: ; The service must be easy to use. For example, the users' identifier and password

    should be easy to remember and the service should work without needing any

    additional software download.

    ; The service must be easy and cost-effective to implement so that all Web sites

    can take advantage of the technology.

    ; The service must provide an adequate level of security.

    The demands of security, however, often conflict with ease of use and ease of implementation:

    ; To protect the user's credentials, security can be strengthened by stringent

    password requirements such as long passwords; mixed-case, numeric, and

    symbol requirements; and password expiration. However, this increases the

    possibility of users making typographical errors and forgetting their passwords.

    Thus, effective security measures can reduce ease of use.

    ; To avoid brute-force dictionary attacks on users' credentials, you can block

    access when there are too many unsuccessful attempts to authenticate. However,

    a malicious user could block the user account by intentionally providing incorrect

    credentials. This would prevent user access even to content with a low level of

    security, and it would force the user to go through a lengthy reset process. ; While you can force communication to be end-to-end Secure Sockets Layer (SSL)

    protected, this might create an overload on the servers and lengthen download

    times for the user.

    .NET Passport solves these problems by:

    ; Using standard Web technologies and techniques such as SSL, HTTP redirects,

    cookies, and JavaScript. Most administrators of Web sites that conduct e-

    commerce transactions or require user authentication are familiar with these

    technologies.

    ; Implementing three security levels. Participating sites can request the secure

    level of authentication they need based on the sensitivity of content or service

    they deliver. In all cases, the .NET Passport password is never sent to

    participating sites, and authentication and profile information is always sent

    encrypted using a key specific to the site.

    Users do not have to download any .NET Passport software. .NET Passport is ?compatible with current browsers, such as Microsoft Internet Explorer, Netscape

    Navigator, and America OnLine (AOL).

    To implement .NET Passport single sign-in (SSI) and the optional Kids .NET Passport service, participating sites must install the .NET Passport Manager. .NET Passport Manager is a simple, server-side Component Object Model (COM) object that decrypts .NET Passport cookies, manages authentication and profile access, caches

    Microsoft Passport 7

Report this document

For any questions or suggestions please email
cust-service@docsford.com