Thursday, 2 July 2009

Microsoft Passport - A Single Sign-on System

Microsoft passport is a facility from MS which offers single sign on capabilities. With SSO, user don't need to remember each password for each service providers. This will eliminate the need, burden for many, of creating/maintaining and remembering different user IDs and passowrds for various web sites or services. When you authenticated to a universal authentication sign-on service, your service provider relies on the information from the SSO server.


For example, you want to use the services from example_flightbooking.com, a web site which provides services for booking flights online. This site accepts your credit card and otehr personal information and you expect those personal information would be kept secured.

Another service where you would want to book your accommodation at the place where you are flying to, using the web site, example_hotelbooking.com. This site provides services for you to view and book hotel rooms online. Authentication to this service provider is done by providing a seperate user name and password same or different from example_flightbooking.com

If the user chooses to use same User ID and Password for these two sites, there comes a major risk. If one of the site is fraduelent or an attacker obtains the User ID and password by means of social engineering, phishing and/or sniffing etc, he can use this User ID and password for both the sites and can obtain personal information stored in these sites, along with Credit card and other vital informations would be lost and the user would become a victim of Identity Theft.

Alternatively, if you choose to different User IDs and passwords with each of the service providers, users have the burden to remember all these login credentials. Chances are there for using same credentials or easily-comprimisable credentails.

Single Sign-on helps to reduce this problem to a great level. With this Universal Authentication service system, both Users and Service providers (like example_flightbooking.com, example_hotelbooking.com) trust a universal authentication service system.

There are a number of steps for successful enrolment and using the SSO. First Service Providers should be enroled with SSO servers by means of a contract. Some SSO needs a fee to use their service. Secondly, users who wish to use services from Service providers also need to be enroled with the SSO.

Whenever a service provider needs a user to be authenticated to use their service, the service provider redirects the user to the SSO login page. User provides the credentials he/she registerd with the SSO. ON successful login, SSO issues a ticket or a cookie, which are generated using cryptographic means. An example can be a shared key between the Service provider and the SSO (usually a shared thriple DES key). After this, when the user access the Service providers site, the ticket from the SSO is provided which will be verified by the service provider (here, as we mentioned, by a shared key agreed between the service provider and the SSO server). If its verified to be issued by the SSO, the user is authenticated.

Examples of SSO are MS Passport system which supports Kerberos protocol to issue a ticket to the service provider.

Advantages for the user is it helps to eliminate remembering various passwords. Also, they can trust a service provider as their enrolment with a SSO system gives some trust to the end user.

Disadvantage is that the server could be a single point of failure. That is, for example, if the MS Passport server which grants the service fails, the user won't be able to use any services offered by Service providers who use the Passport server system.
One of the threat can be a Denial of Service (DoS) attack to the central server which makes it impossible of users and merchants to access the MS Passport Server.
Like wise, if the central server is compromised by an internal or external intruder, all the data can be taken away and can be used fraud purposes.

No comments:

Microsoft Passport - A Single Sign-on System

Microsoft passport is a facility from MS which offers single sign on capabilities. With SSO, user don't need to remember each password f...