The lynchpin of Microsoft's web services - the Passport authentication service - has been found wanting in a study by two senior AT&T scientists.
The authors credit Passport with being an ambitious model, but warn that "the system carries significant risks to users that are not made adequately clear in the technical documentation available."
The report was written by Aviel Rubin, a USENIX board member and co-author of the Web Security Handbook and Dave Kormann, a fellow AT&T Research Labs staffer.
"Passport's attempt to retrofit the complex process of single sign-on to fit the limitations of existing browser technology leads to compromises that create real risks"
Microsoft doesn't take all of the heat: Rubin and Kormann say that without changes to the SSL model, for example, systems that depend upon its delegation and certification such as Passport will inevitably contain flaws.
However, Microsoft is criticized for failing to provide an authenticator, and for failing to prevent 'rogue merchants' to steal details using redirects, either by HTTP redirects or fake DNS records. These are vulnerability of merchant sites already, only compounded when a web of many merchants depend on Passport and Passport alone, which is very much Microsoft's grand vision of Hailstorm.
The researchers make some recommendations, including using rotating keys to encrypt cookies, using a challenge-response system instead of a password, and ensuring SSL is used for all transactions.
You can read the Rubin and Kormann paper here.®