Microsoft targets user/password morass

The software maker plans to announce new technology, code-named TrustBridge, that will allow businesses to authenticate user identities between companies and applications using Web services standards.

With TrustBridge--which will debut next year--Microsoft is attempting to solve a common problem faced by workers in big companies: too many user identifications and passwords, said Adam Sohn, a product manager at Microsoft.

While Microsoft's existing Passport single sign-on ID system is targeted at consumers, TrustBridge will let business users log onto Windows-based systems hosted locally, or remotely at partner companies, using a single ID.

That ID can be created through Passport, Active Directory, Microsoft's directory server software included with Windows, or through any other ID system on any operating system that supports Keberos, a network security standard.

Kerberos is already supported by Microsoft in its Windows operating system. The software was developed by the Massachusetts Institute of Technology.

Microsoft has not yet decided how to package TrustBridge, Sohn said. It could become part of the Windows operating system or it may be sold as a separate software product.

TrustBridge will use a Web services standard called the Simple Object Access Protocol (SOAP) to pass user ID information over Hypertext Transfer Protocol (HTTP)-based networks, Sohn said. HTTP-based networks provide ordinary Web access for nearly every company.

TrustBridge would make it easier for a company to work with outside partners and suppliers. For instance, an automaker could use TrustBroker to give engineers at a parts supplier access to an internal manufacturing system. Or, a company could use the software to make it easier for employees to access benefits information managed by an outside provider.

Analysts said the TrustBridge "federated" security concept could help Microsoft sell more software to big businesses, especially those that still see Windows as not secure enough for their most important applications.

"Microsoft seems more sensitive to what companies need to secure systems," said Ted Schadler, an analyst with Forrester Research. "The roadmap for TrustBridge looks good. It shows (Microsoft customers) how to get there and where the company is headed."

But Microsoft still has to convince technology buyers that it understands how to build secure software, despite a long list of ills affecting Windows, Internet Explorer, Internet Information Server and other products. "Bill (Gates) has been pushing security pretty hard lately, and that's good. But to (put security) into products takes time," Schadler said.

Also, Microsoft's TrustBridge plan doesn't immediately address the Liberty Alliance Project, which also seeks to establish a standard method for online identification. Microsoft rival Sun Microsystems is a major backer of the Liberty Alliance.

While both Microsoft officials and Liberty Alliance members say the two sides have discussed a union of some sort, no agreement has been reached.

TrustBridge is based on Web services security work done by Microsoft in conjunction with IBM and VeriSign. That work focused on a specification called WS-Security that the companies announced in April.

Microsoft later this week also plans to detail a roadmap for revising existing products to work with TrustBridge:

• Passport will be revamped next year to support Kerberos and SOAP messages over HTTP;

• Visual Studio.Net, Microsoft's development tool package, will be updated later this year to allow developers to add digital signature support and SOAP message encryption;

• Windows .Net Server, the next major release of Microsoft's operating system expected to reach customers early next year, will support Passport authentication through Active Directory and Internet Information Server.

Microsoft has not announced pricing or packaging information for TrustBroker. More information will be released later this year, Sohn said.