 |
• May 19, 2003 •
Market research group Gartner last week issued an advisory titled: Security Flaw Shows Microsoft Passport Identities Can't Be Trusted, advising that financial institutions, credit card issuers, retailers and other enterprises that use Microsoft Passport for any meaningful business purpose immediately break all Passport connections until at least November 2003, until Microsoft can prove that its security is adequate. Or invest in an additional, more secure form of authentication for all issued Passport identities.
In addition Gardner advised those institutions to contact all their customers who use Passport and make them aware of Microsoft's recommendations for Passport account holders.
This advisory comes after the latest security flaw that hit Microsoft's Passport service on the 7th May. The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the user name is known. The flaw was disclosed Wednesday evening on the security mailing list Full Disclosure.
While Microsoft fixed this particular vulnerability within a day, Gartner analysts say that "as with any piece of software with serious security flaws, more vulnerabilities will likely surface in Passport" and that "Enterprises considering Passport services should delay adoption until at least November 2003 or until Microsoft has completed a thorough security review of Passport, including outside reviewers."
