Gartner and Microsoft square off over 'ditch Passport' advisory

Recommendations in an article published by analyst heavyweight Gartner urging its customers to break all connections with Microsoft's Passport authentication services are "a little extreme", according to the software company.

The article, published on the Gartner website on 15 May, described the recent security flaw found in Passport as "huge", and said the system has "struggled to gain enterprise and consumer acceptance ever since it went live in 1999".

However, Calum Russell a Microsoft IT infrastructure solutions marketing manager based in Australia, objected to the research report's findings. "I think the Gartner recommendations are not really constructive for customers," he said.

"I think the way we've responded to the [Passport] incident is testament to the [Microsoft security] processes... they are actually working."

The Gartner report savaged Microsoft, claiming the software heavyweight "failed to thoroughly test Passport’s security architecture, and this flaw... raises serious doubts about the reliability of every Passport identity issued to date".

Gartner says its customers should "break all Passport connections until at least November 2003, until Microsoft can prove that its security is adequate. Or invest in an additional, more secure form of authentication".

Perhaps more radically, the article says "more vulnerabilities will likely surface in Passport", and even calls for an open source review of the code.

"The serious vulnerability in Passport will likely further delay any meaningful demand for such services until at least 4Q04. Microsoft can reduce this impact and regain market confidence by submitting Passport’s code to a full open source review."

Gartner’s Australasian research director, Steve Bittinger, makes no apologies for the article’s stance.

"Gartner's advice here is that Microsoft definitely needs to build credibility... this is a major step back," he said. "Despite all the [security] efforts that Microsoft has been telling us about [this was] still a very simple, straightforward problem."

Russell disputed claims by the researcher who found the flaw in the first place that he had contacted Microsoft before details of the problem were made public. "We've got absolutely no record of it," Russell said.

While he conceded there was “no excuse” for the vulnerability, Russell pointed out that it’s very easy for customers to find out if they’ve been affected. Because successful exploitation of the flaw resulted in a password reset, affected users wouldn’t be able to log into their accounts.

"They're entitled to react the way they want... [but] there are better ways of phrasing it," he said.

Microsoft has found itself on the wrong side of Gartner’s recommendations in the past. In September 2001, Gartner strongly urged its customers to scrap servers using Microsoft’s Internet Information Server (IIS) web server software.

"There were a few customer situations... it was a minimal impact of customers actually switching off. [They] got more serious about security, and that's a good thing," Russell said.

As for an open source review, Russell says it's very unlikely.

“I would doubt we’d go to an open source review. We’d use our existing processes like shared source and third party audits, which we’ve done before,” he said.

Patrick Gray writes for ZDNet Australia.