By Stephen H. Wildstrom A reader writes: You once described Microsoft Passport as ill-fated (see BW, 3/14/05, "New Weapons to Stop Identity Theft"). I personally don't use it because, in my mind, a universal password shared by different servers is inherently more dangerous than even the same password for a number of different Web sites. Is my logic wrong? Should a concept like Passport be supported?
A: You've posed a simple question that requires a complex answer. It's like asking whether you're better off keeping 10 valuable items in 10 separate rooms, each secured by a relatively weak lock, or keeping them all in one vault secured by a very good lock. The vault can certainly provide the desired protection, but you need an excellent lock because, once people get past it, they have access to everything.
Hence, a single log-in system relies on a single password to secure everything, so it must provide excellent security.
LIBERTY FOR ALL? Passport faltered for a number of reasons. Some had to do with the security design of the system itself, but those were fixable. The real issues were the widespread distrust of Microsoft's (MSFT) intentions and general lack of acceptance of a business model that could have given Microsoft a piece of every transaction secured by Passport. In the end, business issues -- far more than technical ones -- killed Passport.
The idea of a secure single log-in system, or "federated identity," is still very much alive. The most significant effort, Sun Microsystems' (SUNW) Liberty Alliance Project, now has the backing of more than 150 companies and organizations. But as you might expect, an enterprise answerable to that many masters tends to be ponderous, and actual deployments of the Liberty technology have been very slow in coming.
Microsoft has officially abandoned efforts to make Passport an industry standard, though it's still using what it calls .NET Passports to manage log-ins to Microsoft sites such as Hotmail and MSN. Wildstrom is Technology & You columnist for BusinessWeek. You can contact him at firstname.lastname@example.org