It’s A Matter Of Identity:
Microsoft Passport Vs. The Liberty Alliance

11/16/01

On the web, it is increasingly important to be able to easily authenticate, that is, to prove to the site you are entering that you are who you claim to be.  This allows the site to be certain that information stored in your behalf isn’t shared with someone else and that the site can provide you with personalized information and offers that will make you a frequent, loyal, and satisfied visitor. 

Today, we authenticate (that is, identify ourselves) all the time.  Mainly we do it by signing in with a user name and password.  This leads to a variety of evils. 

• Some users dutifully create a unique name and password for each site – but with dozens or hundreds of them, some visited only infrequently, no one can remember the information.  This forces users to write it down (or otherwise record it), making the passwords accessible to others, especially if the user chooses the Post-It on the computer route. 
  
  

• Other users simply use the same user name and password for all their net transactions, but this could lead to all of their access rights being compromised at once by a single successful hacker attack.
  
  

• Some users are beginning to try techniques that allow them to sign onto their computer once and have the computer itself provide the authentication information to each site through a single-sign-on scheme such as Microsoft’s Passport, Novell’s Single Sign-On, or others.

This has now become a major point of controversy because Windows XP, Microsoft’s new flagship operating system, incorporates Passport and uses it to enable certain OS features as well as providing single-sign-on and authentication.

Sun, who often seems to act from an anti-Microsoft strategy rather than from a product- or profit-oriented business plan has sprung into action, creating a group of industry partners, called the Liberty Alliance, http://www.projectliberty.org/ around the idea of a competing authentication standard. This has forced Microsoft into a somewhat more defensive position than it might have planned, soft-pedaling some of the things Passport can do and emphasizing how it fits into an open market with many players.

Intrigued by the level of noise (and the very strong positions taken by some commentators) we decided that it would be interesting to interview both players and draw our own conclusions.  Let us start this description of our findings by saying they each have strong points of view, but more in common than they might imagine.

Microsoft Believes They Are Already The De Facto Standard

Microsoft is in a strong position on authentication.  There are already 200 million active Passport users and Microsoft estimates that there are about two billion Passport authentications per month.  (That would mean an average Passport user is making 10 authentications per month, which isn’t much yet, considering normal user activities.  This is probably more a comment on the range of usage among users – some using Passport only occasionally and some many times a day – rather than an indication of overall low activity.) 

“Authentication is just another layer of function on the Internet,” said Adam Sohn, Product Manager for Microsoft’s .NET Core Service Team.

If you think of HTTP as being the connection layer, HTML the content layer, XML the data layer, then Passport (or Kerberos, its underlying standard) is the authentication layer.

Microsoft is clearly unhappy that Sun’s Liberty Alliance announcement is all about a federated (many cooperating companies) approach since Microsoft feels it had put out its own roadmap for federated authentication before the Sun announcement.  (That’s literally true – Microsoft announced a federated version of Passport on September 18th; Sun announced the Liberty Alliance on September 26th.  Do you sense spies lurking in trench coats?)  From Microsoft’s point of view, Sun is complaining about a non-issue.

Sohn stated firmly that if the Liberty Alliance came up with a scheme for authentication, Microsoft would want to work with that community (we think that means he would want Passport to interoperate with the Liberty Alliance’s authentication standard, not that it would be replaced by it).  The goal, after all, Microsoft said, is to get to ubiquitous single sign-on.  This shouldn’t – and probably couldn’t – be hosted by one company.

Rather, there will be communities of trust and users will choose which community they want to host their authentication and single sign-on. Microsoft suggested that anyone with lots of relationships might be or become a community of trust and that some of these communities already exist. Some examples might be Passport Trust Network (Microsoft and its partners), AOL and its partners, Yahoo and its partners, financial service networks (Cirrus, Plus), governments.  Any community could choose to be an authenticator in a federated scheme. 

Microsoft sees the future of authentication as a federated model which bridges these islands, permitting total local control but participation in a higher level network (much as a cell phone user, traveling cross country, is passed seamlessly from carrier to carrier, without his knowledge or need to take action).  Microsoft believes such federation can take place around the Kerberos standard, which it has now incorporated into Passport.  (If your knowledge of Kerberos needs expanding, check out http://www.ietf.org/html.charters/krb-wg-charter.html.)

Think of this as a three level transaction between people who provide ID’s, a facilitator, and people/organizations who consume ID’s.:

1. The user provides information to the authenticator and decides who may see it and under what circumstances (your mortgage company may get to see different information than a merchant you’re buying a book from).
   
   
2. The authenticator holds user information and maintains the relationship with the user (usually based on something other than being the authenticator).  The authenticator decides on the rules for how information is protected, stored, and what may be accessed, within user permissions.
   
   
3. The merchant or other user of authentications (it could be something as simple as a web site that requires users to log in) may ask for additional information beyond what is in the authentication – or beyond what the user permission offers access to.  It is up to the user and that consumer of the authentication to determine whether that information will be offered and whether access will be granted or denied.

Part of the confusion is that Microsoft isn’t just part of the authentication federation with Passport, but is also a consumer of the authentications, as when Passport information is passed to .NET My Services, but the user chooses what that relationship should be.  It’s optional.  Microsoft agreed that lots of user information may end up on a partner website, but that information wouldn’t be accessible to the authentication service; they’re separate.  Again, part of the problem here is whether users (one issue) and site owners of all types (a separate issue) will be satisfied that Microsoft will, in fact, keep its role (and the information they provide) quite separate.

Microsoft points out that the level of authentication provided today is only a hint of what might be available later when Smart Cards, perhaps amplified by PINs (personal identification numbers, like your bank card), or biometric identifiers (fingerprints, retinal scans, etc.) might also be part of an authentication process.

Passport lists its partners at a Passport Directory site http://www.passport.com/Directory/Default.asp?PPDir=C&lc=1033.  There are about 100 sites listed here.  About 15% of them are Microsoft sites.  The others are partners who accept Passport for authentication, ranging from big guys like Buy.com, Costco, and OfficeMax to lots of little sites you’ve never heard of.  Microsoft will need many more partners to make its community of trust an interesting experience without federation – which, in itself, is an argument for federation.

In any event, Microsoft is watching the Liberty Alliance and intends, if possible, to interoperate with it when and if it appears.

Sun Believes No One Should Own Identity

Sun says its motivation for getting involved in an authentication scheme isn’t about building PC software, but rather about trying to respond to customers who’ve been asking them for their opinion on the single sign-on and authentication issue, especially after Microsoft’s Hailstorm announcement made Passport seem much more strategic (and, we’d guess, threatening).  Sun says it took a couple of months to develop an opinion.  That’s where the Liberty Alliance comes from.

Sun’s Liberty Alliance is really just getting started.  After its September 26th announcement, there have been many expressions of interest.  A two-day Founders’ Meeting occurred on November 7-8. 

This is not about technology, says Sun, but rather about economics, commerce, and how society will run in the future.  They’ve been talking to the “namespace” companies, like major credit card issuers, financial services companies, large employers, retailers, and telecoms – the people with ongoing relationships with big communities of customers and/or employees.  These companies have value propositions to protect.

Collectively, the one thing they’re sure about is that no one company should control digital identity because it places too much power and too much data in one place.  It’s easy to enable authentication with a single operator, says Sun, but it’s very easy for that single operator to have too much power and control.  An open, federated approach, built on communities of identities is better.

Each community (set of customers or others) could offer an integrated and personalized service built on existing trust relationships.  Each user would have a single identity.  The customer information included in these customer identities is an essential part of making Web Services useful (I’m not sure I entirely agree with Sun on this; certainly Web Services offers an ability to personalize which can be compelling; it isn’t the only thing Web Services offers.)

What is clear is that Sun’s message resonated with many CEO’s.  In only six weeks they got from an idea to a supported decision to move forward on what is agreed to be an important strategic issue.  Companies need to be able to authenticate a network identity for consumers, employees, businesses, and devices (think cars, computers, phones, anything . . .) and they realize this is hard to do on their own.

A good analogy is what happened in the banking industry with ATM networks.  At first, everyone thought they needed to have their own.  Eventually smaller banks partnered with bigger ones.  Today, almost anyone with a bank card can use almost any bank machine – interoperability is nearly seamless.

That’s what needs to happen with authentication – there should be multiple systems that all interoperate.  In case you haven’t noticed yet, Microsoft and Sun are essentially saying the same thing.  The difference is that Microsoft wants to be one of the providers of authentication as a service and that it sets as an important, perhaps the most important, standard.  Sun wants to make sure that Microsoft’s importance is diluted by having many important authenticators support a different standard.

Of course, the Liberty Alliance doesn’t have a standard yet.  What it has is an idea about how to get to one.  They have met and decided to form a group (which any interested company can join – Microsoft and AOL were both invited; Microsoft says it might have an interest in joining the alliance under the right circumstances).  The alliance will be governed by a board and several layers of membership will be available below the board level.  Voting rights will be distributed by level.

So far, 34 companies have announced an interest publicly.  They include American Airlines, Bank of America, Bell Canada Enterprises, Cingular Wireless, Cisco Systems, Dun and Bradstreet, eBay, Entrust, Fidelity Investments, Gemplus, GM, Global Crossing, i2, Intuit, Nokia, NTT DoCoMo, RealNetworks, RSA Security, Sabre, Schlumberger, Sony Corporation, Sprint, Sun Microsystems, Travelocity, United Airlines, Verisign, and Vodafone.  Sun expects that a number of additional namespace and software companies will announce their commitment in the next 30 to 60 days.  About 2,000 companies have visited the web site, but that includes me (several times) and Microsoft.

Sun sees the authentication standard that will emerge from the Liberty Alliance as enabling a value chain to support Infrastructure, Managing Services, and eCommerce (especially billing – although we’d point out that authorization is quite separate from authentication).

While there may be a Liberty Brand there is no intention to offer a Liberty Service – Sun sees itself and the Liberty Alliance as an enabler, not a profit center.  We’d bet that someone else, however, may think that providing a Liberty Service, particularly for smaller firms, may be a business.

Sun sees the authentication process a bit differently than Microsoft.  The emphasis seems to be on what the merchant or circle of trust might need or want.  For example:

1. Authentication should be offered in multiple levels; the authenticator determines what is required to initiate the registration of the ID (such as physical presence or biometric registration).
   
   
2. The merchant would request authentication from the user, possibly requiring physical methods (SmartCard, biometrics, etc.).  The merchant determines the required level of authentication.  Whether a service is provided is determined by authentication and, if required, by authorization, a separate but related service.
   
   
3. The merchant may offer to share customer data with the circle of trust or others (presumably with user permission).
   
   
4. Authentication remains with a user during an open session.

This Is All About Competition – As Usual

So if the standards will turn out to be similar, why are we going through this time consuming exercise?

Sun and many members of the Liberty Alliance are nervous at the thought of Microsoft or any single company being in control of identity or possibly charging for authentication.  As a group, members seem to believe that the consumer should pick a steward of his Network Identity based on his own existing relationships and that there should be an environment that enables competition for that trust.

Unfortunately, the roadmap is not as persuasive:

The Liberty Alliance is currently in an early stage.  It intends to leverage as much of the existing standards work as possible and, when its work is completed to turn its own standard over to an independent (the implication was existing) standards group.  The Alliance is intended to focus on a simple set of basic capabilities, permitting developers to do the rest.

Sun estimates that they will have a standard ready by the end of the first Quarter of 2002, pilots against that standard in the second and third quarter, and a commercial roll out in Q3, 2002.  The kindest thing we could say about that schedule, especially since the group itself is still in the formative stages, is that it’s very ambitious.  The funding structure has not yet been determined and important players (IBM, for example) have yet to say whether they intend to participate.

We’d guess that Sun is hoping for some short cuts.  By placing all governance in a governing board, it may be possible to shortcut the decision process that usually hobbles standards setting groups – but it may also injure the consensus building process that a slower pace permits.

Sun expects that the group will pay for R&D, some limited compliance testing, and some marketing.  Just how all that will work is still a bit foggy.  Liberty isn’t going to be a standards body, but rather a group that selects and embraces existing standards and runs on most technologies.  There isn’t intended to be any product but there might be a reference model to assist getting the process started.  The software itself would best be served (Sun speaking here) if it could be distributed against a Royalty Free Model, although other ideas are still being discussed.

Questions remain.  If the Liberty Alliance chooses Kerberos as their standard, which guarantees interoperability with Passport, can we declare this a done deal and all go home?  Microsoft has already agreed on a federated model with many authenticators so that doesn’t seem to be the issue.

If customers are concerned about what authenticators do with the information they collect, that will be an issue between those customers and that authenticator.  Microsoft, for instance, has a multi-part problem.  In Passport, it is only collecting fairly minimal information.  But when the merchant or service provider is also Microsoft much more information would naturally be collected.  It isn’t clear to me that users are unhappy about this, but competitors certainly are.

Finally, it will be most of a year before the Liberty Alliance is ready to roll out its authentication standard.  By then, we’d expect that Microsoft will have five million or more Passport users.  Of course, that’s just a drop in the bucket, but it will make it harder for another standard to get started – unless they decide to shake hands and make sure that they all smoothly and seamlessly interoperate.

Then, I think, it’s a race to see who gets to be your authenticator.  Remember, Microsoft gets to meet people at the operating system, browser and office suite level, early and often.  I suspect we’re going to see credit card companies, e-tailers, financial service companies, and software vendors offering some very interesting bribes to customers who agree to try out their authentication schemes.  This could be like the credit card interest game, where skillful players change their relationship twice a year to their financial advantage.