Developing .NET Applications Using Passport

Developing .NET Applications Using Passport
Could Passport be Web services first-class ticket?

Web services have rapidly become the de facto standard for application-toapplication interoperability, and they are now one of the most frequently used designs in the enterprise architect's toolbox. Furthermore, Microsoft's Visual Studio .NET integrated development environment has proven to be one of the quickest and easiest ways to develop and deploy them.

Microsoft Passport has been available as a Web service for some time, but due to its structure and security concerns only larger enterprises having the infrastructure to support and develop applications, such as Citibank and eBay, really took advantage of it.

Passport is now a viable application to expose as a Web service to the middle tier, so corporate accounts can include Passport into new and existing applications. The reality of using Passport as an entry point for Web services developed on the .NET platform is here. With 200 million accounts, Passport could make applications coming out of a wider range of corporations more accessible in the near future. But there are some necessary steps to take, and some hurdles to avoid in the development process.

How Passport Works
Passport provides a centralized authentication system for all .NET services. Its single sign-in (SSI) technology means users no longer have to remember multiple user names and passwords for every Web site that requires them to log in. A single Passport account serves as identification to enter all participating sites.

Companies can employ this already-available authentication tool to implement new applications that were not possible before. Without the underlying infrastructure or money to spend on new technology, but instead a large investment in Web services, companies can use Passport and hook up to a ready-made database of users that lets them in readily and easily. Another advantage is that the Web services option is both cheaper and easier than buying an additional authentication package or building it from scratch.

Development
Passport offers the capability for developers to bind authentication within XML Web services. It makes a lot of sense and takes away a lot of fears. Why should developers deal with writing all of the security levels and the useridentification list?

If VS.NET becomes the de facto standard for building Web services, developers know that Microsoft already has a sensible model for scaling, which is also cost effective. The issue is not which platform to choose, but rather how to use the tool effectively in business.

Developers need to work with line-of-business people to think beyond a single application to how the company can build a customer interface. This will help build solutions that can handle more customers with fewer resources and extend the reach of business applications.

It is clear that Web services provide value through interoperability across platforms and vendor offerings, but that value diminishes if users need to provide credentials every time a boundary is crossed.

In order to achieve an SSI system, the architecture of the system must be flexible enough to allow a method of authenticating users and services on the supply chain through disparate systems and networks. By adopting Passport as an authentication and identity provider – and a strategic approach to solutions architecture – developers and development teams can build security and identity into the boilerplate of the solution. This not only simplifies the complexity of building secure applications by outsourcing the identity and authentication piece to a "trusted" specialized agent, but also gives the Web service the ability to concentrate on the service provided and the authority to consume it.

Developers should consider the following goals when creating a solution:

Define the problem clearly and concisely

Develop a clear design and plan for building the solution

Establish an integrated team and ensure full communication at all levels

Set standards and respect them throughout the life cycle

Maintain a continuous risk management approach to all issues and decisions

Approach security with skepticism. Always analyze the implications of the components and how they can be used, not only how they will be used

Take an object-oriented approach to planning, designing, and developing

Usability and Integration
Companies will still have full control of the client's data, but will provide an alternate way to log in to the system. We are far from an automated, fully authenticated supply chain. Right now, Starbucks authenticates its users through Passport. They come into the site for the first time, log in to Passport, add an e-mail address to open an account with Starbucks, and link it to their Passport account. There is a trust agent to authenticate a user on the site, but users who prefer the traditional way can still open accounts with an e-mail and a password.

It will take time before Passport becomes fully adopted by the public. In the meantime, developers need to create solutions; using both proprietary authentication services and other agents such as Passport. Sites that can afford a single sign-in process, such as MSN, Hotmail, and other Microsoft family sites, can force people to use a single sign-in process, but other sites may be more hesitant, for fear of losing customers.

Security
There is always a trust issue with the question of how you can be sure that the information is truly secure and not being used by others. If you trust Microsoft with your operating system, why not trust this? The majority of users will already have a trust base with Microsoft, but the recent breaches in security have raised the question of whether Passport data could be more vulnerable. As the Passport database grows, the amount of information on users is huge, from MSN, Hotmail, and eBay for example. Microsoft already has access to these users, so there is no additional risk for a company in developing services for Passport users and giving anything else away.

The possibility of impersonation could potentially allow someone to go into Citicards.com, for example, and hack into the records. Because of this security risk, Citicards forces users to provide a second password registered on Citibank's records.

There is also a risk on the client side of creating cookies that can be captured and used for identity theft or impersonation. Web services will not create cookies on servers or databases. However, it takes only an insecure application and a careless user to capture a user's Passport credentials or impersonate a user. Some possible scenarios include:
1. A user is using a vulnerable browser (such as all IE browsers prior to 5.5) that exposes the cookies' content to hackers over the Web. The problem is not the cookies themselves, but the browser. Hackers do not need to decrypt the Passport token. Instead, they can use the token and retrieve the identity information.
2. Users go to a site that resembles a Passport log-in page and enter their credentials, which are then sent to the hackers.
3. When logging into Passport a user has checked the box that reads, "Sign me in automatically on this computer." This creates a cookie that will log the user in automatically to any Passport site. When this cookie is compromised, it exposes the greatest risk to the user.

Users should log out immediately after visiting a Passportenabled site. This process will destroy the majority of cookies and the user will be protected.

Measures Microsoft Can Take to Ensure Security
To ensure security, Microsoft needs to manage the media and manage the issuance of patches to their software as vulnerabilities are either exposed or identified. Microsoft has already taken the Secure Code/Applications initiative. Codes and applications are analyzed from a security standpoint and security experts assess all applications and identify all potential security flaws and risks, mitigate the risks, take proper action, and ensure that only certified code is issued. This initiative comes from the inside out and will change the way applications are developed and used on the Microsoft platform. Perhaps this past year's Windows 2003 release has helped users to begin identifying Microsoft as a secure platform. But it will take years to change Microsoft's unsecure branding, and the competition will continue to exploit this weakness.

Measures Developers Can Take to Add Further Security
It is very difficult to build a totally secure system, but there are certain variables provided by the browser that can be used to further validate a user and make this type of attack more difficult. There are a couple of features developers can use to ensure further protection to their users, but each requires extra coding and administration.

Using the hashed value of the UserAgent header as an additional identity token. To replicate this, a hacker would need to replicate the user's browser; a task that while possible, will definitely add an extra layer of complexity

Time the session out in a shorter timeframe. This forces the user to reenter the password upon timeout

Use the IP address as a validation point. Certain Web technologies, such as Web proxies, would need to be considered, but this would add an extra layer of validation to the authentication process

Require users to provide their password when purchasing items.

Make sure that when the user is leaving a site, all high-risk cookies are deleted from the system.

What Does the Future Hold?
The largest issue ahead in spreading adoption is the education of corporate IT to demonstrate what Web services buys you and why you want to do it. The decision and the image come from the corporate level and spread through the media. In the face of recent fears, developers cannot do much to change this. Gartner's suggestion of submitting Passport's source code for opensource review to regain trust would be a solid step in the right direction.

The future of .NET Web services and Passport is still unclear. The first step is the identity and authentication standard that was recently released. An architecture and development team can see and understand the technical benefits of having all applications distributed and working as Web services. For business, the idea of turning information into a service is amazing progress. The concept of offering an application as a service and charging for its use or consumption is a paradigm shift for the software industry.

On the Passport side, there are other competitors starting to gain further momentum, and it is possible that other technologies for identification and authentication will become more accessible to the public. Web services will continue to evolve and will eventually offer services never imagined before.

Author Bio
Ted Dinsmore is president of Conchango New York, which he founded in 1997. He has since built it into a full consultancy, establishing practices in the Connecticut and Boston markets. He is responsible for sales and business development in the Northeast region, with a customer base of Fortune 500 firms. In addition, he has built a relationship with Microsoft to provide solutions in the New York and New England marketplace for international clients.