Passport, you may recall, is a service Microsoft offers to allow users to create a single logon for Web sites, instant messaging, e-commerce, and other online activities. The company is moving Passport into a Web services model, and will soon release a federated trust server that will help Windows-based enterprises link internal user authentication to Passport accounts on the Internet. Microsoft claims hundreds of millions of Passport "users," but most of those are really Hotmail accounts, where a Passport account is a requirement.
Last week, Microsoft fixed a major Passport vulnerability that could have allowed hackers to usurp control of users' accounts. And this is reason Gartner is recommending that companies--specifically financial institutions, credit companies, e-commerce sites, and anyone else using Passport for "meaningful business purposes"--immediately drop Passport and wait for the November release of a Passport update, which will feature more secure authentication technologies. The parallels to Gartner's advice about IIS are staggering. Then, Gartner advises companies to immediately drop IIS until a more secure version (IIS 6, part of Windows Server 2003) was released. And then, as now, the company offered absolutely no usable advice about what companies can do in the meantime. In other words, they have identified a problem, but offer no real solution.
"We think that the recommendations Gartner makes are not constructive for customers," a Microsoft spokesperson said. "While we know that we can always do better, we believe we have a solid set of processes and procedures in place to run Passport as a trusted service.