A yolk too far: Microsoft does Egg's security

Online bank Egg is to use Microsoft's controversial Passport authentication software to give users access to their accounts, despite widespread concern that Microsoft's security technology isn't up to the job.

Egg CIO Dana Cuffe will move over to the web-based system when a full assessment is completed, and currently has no timeframe for the move.

Analysts immediately criticised the move and claimed the system isn't good enough for banking.

Jose Lopez, research analyst for Frost and Sullivan's security division, said: "Passport is not good enough - not at all - for the purposes of online banking. Any other bank will tell you the same thing."

He cited past security problems and added: "I think many Egg customers would leave if Microsoft did its authentication."

Ian Brown, security expert and researcher at UCL, said he would not be comfortable banking at Egg if it moved to the Microsoft platform for authentication. "I would certainly think twice about my Egg account," he said.

Egg is an early adopter of Microsoft's new operating system, Windows XP, and a firm supporter of its .NET strategy, but thus far it has used Entrust technology to authenticate its customers online.

Cuffe said he planned to replace Entrust's GetAccess product with the Passport system.

He told silicon.com: "At first we will use Passport alongside GetAccess but the aim is to replace it entirely. At the moment we're still to assess and validate the system, but the assumption is that it will be rolled out."

The news is a boost to Microsoft, which has faced stern criticism in recent months for the poor security of its products as well as increasing concerns about the ramifications of Passport on user privacy and security.

Bill Malik, VP at Gartner Group, said: "This is a real coup for Microsoft. To persuade someone with the heavy fiduciary responsibilities of a bank that Passport is adequate."

Passport is the authentication system Microsoft currently uses to identify Hotmail users, but will ultimately be the way in to a wide range of .NET services, theoretically allowing a user to sign in just once for multiple services.

Passport has faced criticism both because of the nature of its design gives hackers just one entry point to a wide range of valuable information, but also because many suspect Microsoft particularly is ill-equipped to deliver such a service, given its poor record on computer security.

Microsoft was unable to provide a spokesperson to comment on the story.