Microsoft Bolsters Passport Security

Next version of the online authentication service will require users to submit valid e-mail addresses as sign-in names when creating new accounts.

Microsoft Corp. on Tuesday will announce a set of changes designed to improve the security and privacy of its Passport online authentication service.

The company will include all of the changes in version 2.5 of the Passport service, due later this month.

The most significant change requires users to submit a valid e-mail address as their sign-in name when creating a new account. After the account is created, an automated message containing links needed to validate the account will be sent to the e-mail address.

Also, users who try to change their sign-in names after the release of 2.5 will have to use a valid e-mail address as well.

Microsoft is also moving the user interface for Passport into its .Net domain in order to separate it from the services cookies, stored in the domain. The company says this will help ensure that simple Web-based attacks such as cross-site scripting cant gain access to the cookies, which store user data.

The company is also making it easier for users to close existing Passport accounts, by creating a link in the .Net Passport Member Services page. Currently, users have to pore over the Passport privacy statement in order to find instructions for closing their accounts.

Microsoft, of Redmond, Wash., also announced that it is launching a new service called MSN Wallet, which will eventually replace the Passport Express Purchase service.

Related Stories:

  • Feds Chide Microsofts Passport
  • Commentary: The Problems With Identities