Passport Secure Sign-In

Provide Your Users with Secure Authentication Capabilities Using Microsoft .NET Passport

Michael Kogotkov-Lisin

This article assumes you're familiar with C#

Level of Difficulty123

SUMMARY

Secure sign-in, a new feature in version 2.0 of the .NET Passport single sign-in and profile service, is a functionality that will be especially useful for sites containing confidential information or anywhere security is a primary concern. Such sites include banks, medical sites, and so on. Secure sign-in is as safe as any SSL-based Web site login used today and provides a way to virtually eliminate vulnerability to replay and dictionary attacks.

This article explains secure sign-in and demonstrates how you can implement this feature with very little effort in either ASP using the Passport.Manager COM object or in ASP.NET using the .NET class PassportIdentity.

Contents

Standard vs. Secure Sign-in
Secure Channel
Security Key
Pluses and Minuses of Secure Sign-in
Secure Sign-in and ASP
Parameters of Login Functions
Secure Sign-in and ASP.NET
Developing in ASP
Developing in ASP.NET
Applying Passport to the Real World
Conclusion

Microsoft® .NET Passport is a single-login system that allows users to navigate across Passport-enabled sites without having to maintain a separate login at each site. It's a popular feature since it saves time and effort for consumers who visit sites that have implemented the system.

Secure sign-in is a feature of Passport that provides a more secure login than you can get with the standard Passport login. This is an especially important concern for banks, brokerage houses, medical sites, and anywhere a user keeps confidential data. Secure sign-in makes logging in with Passport as secure as any Secure Sockets Layer (SSL)-based Web site login used today.

In fact, implementing secure sign-in requires you to use SSL and special parameters for the Passport login functions. Except for requiring a browser that supports HTTPS (almost all browsers do today), secure sign-in does not impose any additional burden on your users. Developing a site that's enabled for secure sign-in is as easy as setting up a site for standard sign-in—it requires just a few lines of code.

In this article I'll compare sign-in approaches and describe the steps that are necessary to set up secure sign-in on your site. I'll look at secure sign-in through the lens of two programming paradigms, the Passport.Manager COM object and the PassportIdentity object in the Microsoft .NET Framework. Finally, I'll show some samples of Web pages that are designed to use secure sign-in. See the Glossary for definitions of some of the terminology used in this article.

Standard vs. Secure Sign-in

As I mentioned, there are several security concerns that Passport standard sign-in shares with other verification mechanisms. The first is vulnerability to a brute-force attack against a user's credentials. To reduce this vulnerability, login servers for .NET Passport implement a slow-down mechanism to discourage attacks based on repeatedly guessing passwords. After five consecutive failed login attempts, a user will be asked to wait five minutes before trying to sign in again. This functionality protects the user from being locked out of the site indefinitely while significantly thwarting a malicious user's attempt to gain access to the account.

A replay is another type of attack in which a login transaction is captured as it passes over an open HTTP connection. Passport is currently vulnerable to replay attacks, even though the ticket and profile are encrypted, because they're exchanged over an open HTTP connection. Someone listening in on the conversation could capture these packets and replay them, which would allow this hacker to impersonate the user until their login ticket expires. Login credentials (e-mail address and password), on the other hand, are sent to a Passport domain authority over HTTPS, so they are safe from exposure.

To avoid silent reauthentication, participating sites can require the user to reenter his or her sign-in name and password regardless of the user's current authentication state. By forcing a user to retype credentials, the site effectively denies access to someone who does not know the user's username and password.

Secure sign-in eliminates the vulnerabilities of standard sign-in by adding new features. The IsAuthenticated, AuthURL2, LoginUser, and LogoTag2 methods now accept a parameter that allows a participating site to indicate one of two new levels of authentication security. The first level, Secure Channel, requires the use of SSL communication for all authentication iterations. The second level, Security Key, requires that the consumer select an additional credential—a PIN—to sign in.

Secure Channel

The Secure Channel level of secure sign-in includes several new features to eliminate the packet-sniffing window of opportunity used in replay attacks. Secure Channel requires use of SSL communication for all authentication iterations. This level of security requires you to serve pages over HTTPS, which means that your site must have established and signed certificates from a certification authority (CA). If you've chosen to use cobranding on the login server and other network servers, each cobranding element must also be available via HTTPS. Finally, the secure sign-in page is cobrandable in the same way as the standard sign-in page. Inline sign-in is not permitted for gathering secure login credentials.

Secure sign-in writes a new secure cookie containing an encrypted Passport Unique ID (PUID) in the HTTPS header. Using HTTPS keeps packet sniffers from extracting this secure cookie, so they can't be captured and used for spoofing a user. To prevent cookies submitted in headers to the login server from being copied and used on other sites, Passport decrypts the secure cookie and checks against the user's PUID in the ticket. If there is a mismatch (or if no secure cookie exists), the user is not authenticated and must go through the steps to resubmit credentials. The ticket and profile are still written as plain text cookies so that they can be accessed by pages on your site that don't use HTTPS. Upon completion of any secure sign-in, Passport Manager writes the secure cookie into your domain as an HTTPS cookie.

The .NET Passport API will continue to retrieve the necessary time-stamping information from the regular ticket. However, if you specify SecureLevel=10 in Passport's login functions it means that you would like to check if the Secure Channel was used for the last user's sign-in. If, for example, the IsAuthenticated method returns True with this parameter, it means that the last sign-in wrote the secure cookie and that the PUID in the secure cookie must match the one in the nonsecure ticket.

An efficient use of secure sign-in would be to request it on the initial check for authentication when the user goes to the login server. Subsequent checks for authentication would use IsAuthenticated, specifying that the secure cookie should be checked. This action doesn't require another round-trip to the login server. Even if someone captured ticket or profile parameters from your site or managed to submit captured header cookies to the login server, the authentication would fail because there would not be a secure cookie to match the most recent ticket.

This option can be used separately without requiring a security key. To do this, the SecureLevel parameter of the Passport login function should be set to 10. This, in turn, will require the redirection URL to be HTTPS-based or authentication will fail.

Security Key

As mentioned, the Security Key level of security requires a PIN. This is considered strong security because it requires a hacker to compromise base credentials in order to attack a site (effectively increasing the overall security on a secure site), and because it is protected by a lock-out mechanism that goes into effect after five failed attempts. The security key does not automatically unlock; once the lock-out mechanism is triggered, the user must go through a reset process to regain access to secure sites. A PIN will usually be used to protect secure sites that deal with sensitive financial or personal information, where preventing access by an unauthorized person is more important than providing quick and easy logins for the user.

The Security Key level of secure sign-in was introduced in .NET Passport version 2.0 to support sites that had even higher security requirements than the existing sign-in over secure channels. The Security Key level of secure sign-in includes all of the features of the Secure Channel level, plus several others.

The first time a user attempts to access a site where Security Key is required, a Security Key selection page is displayed. The user must select a four-character Security Key along with three different secret question and answer combinations. This PIN is entered by the user to sign in to any site that has Security Key-level security. The secret questions and answers are used if the user needs to change or reset the Security Key. In the event the user forgets her PIN, she will have to go to Member Services, where the PIN reset process will ask her to answer her three secret questions.

E-mail is not used to reset a user's PIN. The Secure Key is intended to protect secure sites from vulnerable base credentials. Since the majority of Passport users use the base credentials to access their e-mail (especially users of Hotmail.com and MSN.com), using e-mail to handle PINs would allow an unauthorized user to circumvent these secure defenses and defeat the purpose of the feature.

Pluses and Minuses of Secure Sign-in

Your site might use secure sign-in if you are already using fairly long TimeWindows and you don't expect to make many further reauthentication checks. (The default is to keep a sign-in alive for 14,000 seconds or 4 hours. This is the registry default which is set when the Passport SDK is installed.) Longer TimeWindows increase the opportunity for replay attacks, but they provide better performance on a site because round-trip redirects back to the login server are minimized. You could also use secure sign-in if successful .NET Passport authentication gives your users access to extensive personal or sensitive information, such as transactional abilities or the ability to edit personal data above and beyond the .NET Passport profile.

The primary disadvantages of secure sign-in involve performance hits. Serving pages over HTTPS transmits more data because of the added overhead of the key exchange, which can take more time to construct and serve. HTTPS pages also take more time to load and render on the client. If your site does not expose extremely sensitive user data that's accessible after Passport authentication, or already uses small TimeWindow parameters to assure that sensitive data pages are difficult to access through replay attacks, the standard HTTP login servers and Passport Manager calls are probably adequate for your needs, as well as being more efficient.

If you use secure sign-in and secure authentication checks, it is not necessary to establish extremely short TimeWindows, especially when submitting these TimeWindow values to the login server when you call AuthURL2 or LogoTag2. Secure sign-in generally eliminates the chance of success of an ordinary replay attack, so constantly rewriting all cookies securely not only increases the load on the network servers, but slows load times for your site's pages because of frequent loads, rewrites, and redirects over HTTPS.Glossary

Here is some of the terminology used in this article. You can find additional terminology in the Passport SDK help file.

Domain authority A legal business entity that owns domains used for the purposes of issuing and operating .NET Passport accounts (Hotmail, for example). These entities must follow special privacy policies.

Participating site Any Web site that implements .NET Passport single sign-in. Note that to use many .NET Passport features and to access core profiles of users, a participating site must be registered. Registration entails providing URLs for your site, contact information, privacy policy, and so on. This also means that Microsoft will periodically audit your site for compliance.

Passport Unique Identifier (PUID) The combination of two .NET Passport attributes: MemberIDHigh and MemberIDLow. The resulting 64-bit value is the PUID that participating sites should use to index databases and uniquely identify users within their site.

Secure sign-in A feature of version 2.0 (or later) of the .NET Passport single sign-in and profile service. It expands standard sign-in and employs additional functionality to significantly reduce the possibility for hackers to log in to the account of the Passport user using replay and dictionary attacks. There are two levels of secure sign-in, Secure Channel and Security Key.

Sign-in The process of signing in to .NET Passport, submitting a sign-in name and password when accessing the login server pages using a browser.

Single sign-in (SSI) A process that identifies users. In the .NET Passport network, single sign-in involves obtaining and verifying credential information for a user with a .NET Passport sign-in name and a password to gain access to protected services. The term standard sign-in denotes nonsecure sign-in.

Ticket (Ticket cookie) A cookie used by .NET Passport for secure single sign-in and profile sharing. A ticket contains time stamps that participating sites and the Passport Manager object can use to determine how to admit a user to the site (by silent or manual sign-in). The actual name of this cookie is "MSPAuth". After a user is signed in to a participating site, there are in effect two ticket cookies, one written by the participating site's domain and one written by the domain authority.

TimeWindow A period of time, in seconds, during which a user's most recent authentication must have occurred at the login server. TimeWindows help minimize the possibility of replay attack. Depending on the options, the user must either have silently or manually refreshed credentials after the TimeWindow.

Sites that implement secure authentication for their Passport users will be required to make the following changes:

  • Upgrade to version 2.0 (or later) of the Passport SDK. Note that Passport SDK version 2.1 is the current version, and use of this version is highly recommended.
  • Use the new SecureLevel parameter (set its value to 10 or 100) with the IsAuthenticated, AuthURL2, LoginUser, and LogoTag2 methods. In addition, setting the bSecure parameter to True is recommended so that the Sign-in button image is also served via HTTPS. This eliminates warnings about displaying nonsecure content.
  • If cobranding is implemented, create versions of their cobranding files, which must be located on secure servers (accessible via SSL).
  • Host at least one secure page (accessible via SSL) to use as the return URL for secure sign-in requests.
  • Following recommendations for Sign-out functionality is highly recommended. See the Passport SDK help for details.

Secure Sign-in and ASP

The primary COM object for most sites using .NET Passport is Passport.Manager, a server-side object for .NET Passport single sign-in (SSI) and profile services. Supporting secure sign-in means using the SecureLevel parameter in four functions: IsAuthenticated, AuthURL2, LoginUser, and LogoTag2. These are also the most frequently used functions for standard sign-ins.

Here's the syntax of IsAuthenticated:

bValue = PassportManager.IsAuthenticated([TimeWindow], [ForceLogin], [SecureLevel])

This function returns true if the user has been authenticated and his TimeWindow has not expired. If you set the ForceLogin parameter to True, then the user has to log back into the page for every access, even if their TimeWindow hasn't expired. This method uses parameters similar to the other calls listed here (see Figure 1).

Figure 1 Parameters of Login Functions

Name Data Type Default Range Description
TimeWindow Integer 14,000 20 to 2,678,400 Interval in seconds during which the user must have last signed in. If TimeWindow is left empty, then it uses the registry default.
ForceLogin Boolean, Integer for .NET PassportIdentity False True or False Force user to re-login, even if the timeout did not expire.
coBrandArgs String Nothing NA Cobranding arguments (beyond the scope of this discussion).
lang_id Integer 1033 - US English Ranges of a standard LCID Language in which the login page should be displayed.
bSecure Boolean False True or False If True, the button's image will also be served through HTTPS.
NameSpace String Nothing NA Used only in special cases (beyond the scope of this discussion).
KPP Integer -1 or 0 0,1,2,3,4 Used only with Kids Passport service (beyond the scope of this discussion).
SecureLevel Integer 1 1,10,100 Declares one of three security levels.
ExtraParams String Nothing NA A string that may contain comma-separated name-value, specifically for .NET Passport-aware authentication interaction (beyond the scope of this discussion).

AuthURL2 is a sign-in alternative to LogoTag2, which displays a link that redirects to the Passport login page. The primary purpose of this function is to deal with Passport-aware applications, such as Microsoft Internet Explorer 6.0 on Windows® XP:

sValue = PassportManager.AuthURL2([returnURL], [TimeWindow], [ForceLogin], [coBrandArgs], [lang_id], [NameSpace], [KPP], [SecureLevel])

LoginUser takes the user directly to a Passport login screen. The user is logged in either by outputting a 302 redirect URL or by initiating a .NET Passport-aware client authentication exchange (including the Credentials Manager in Windows XP). Its format is:

PassportManager.LoginUser [returnURL], [TimeWindow], [ForceLogin], [coBrandTemplate], [lang_id], [NameSpace], [KPP], [SecureLevel], [ExtraParams]

LogoTag2 returns an HTML snippet which includes an image tag for a .NET Passport link. The link displays, in the language of the locale provided by the lang_id parameter, either a sign-in button if no valid ticket cookie is detected, or a sign-out if there is a valid ticket cookie:

sValue = PassportManager.LogoTag2([returnURL], [TimeWindow], [ForceLogin], [coBrandArgs], [lang_id], [bSecure], [NameSpace], [KPP], [SecureLevel])

Parameters of Login Functions

In addition to the descriptions in Figure 1, two parameters are particularly relevant to this discussion and deserve more explanation. ReturnURL is an optional parameter that sets the URL to the place where the login server should redirect after sign-in is complete. Where applicable, default values of passport functions are not hardcoded values, but rather stored in the registry under the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Passport] registry key. You should call Server.URLEncode on any string you plan to use for a returnURL value to make sure it isn't garbled during Passport query string parsing. If you add your own query string variables to returnURL, you should use only one query string variable; avoid special characters that require separate encoding and don't use the reserved .NET Passport variable names t, p, and f. If you're going to a port other than port 80, you must specify the port in the URL; the URL must point to a named file (not just a root).

SecureLevel declares one of three security level options for the .NET Passport sign-in. These values are shown in Figure 2.

Figure 2 SecureLevel Options

Value Description
0 (or unspecified) The sign-in UI is served via HTTP from the .NET Passport domain authority (default). Note that with this option, there will still be an intermediate transition to HTTPS on the .NET Passport server side to enable writing a secure cookie that is set by domain authorities for the persistent sign-in option.
10 The sign-in UI is served via HTTPS from the .NET Passport domain authority. Requires that returnURL be an HTTPS URL; otherwise, the authentication will fail.
100 The sign-in UI is served via HTTPS from the .NET Passport domain authority, and the sign-in process now requires submission of a secure authentication PIN in addition to password.

Secure Sign-in and ASP.NET

The .NET Framework provides a wrapper around the PassportAuthentication COM module called (appropriately enough) PassportAuthenticationModule. Because it's a wrapper, you must still install the Passport SDK in order to use the .NET Passport classes and methods. While Passport SDK version 1.4 is supported, it's not recommended for use. Passport SDK versions 2.0 (and later) are both supported and recommended, and only version 2.0 or above is supported under Windows XP.

PassportIdentity is a class used by PassportAuthenticationModule. To use this class, you have to import the System.Web.Security namespace in your code. The methods exposed by PassportIdentity closely resemble those of Passport.Manager. In some methods of this class, the corresponding Passport method has optional parameters. Whenever one of these optional parameters is integral or Boolean, you can pass -1 (or True) to indicate that Passport should use the default value. Similarly, to use the default value for an optional string parameter, you can pass a null reference (or Nothing in Visual Basic®).

Developing in ASP

Now compare the simplest ASP pages that implement both standard and secure sign-ins. All this sample does is display a Sign In button; once the user is authenticated with Passport it displays a Sign Out button.

First, take a look at standard sign-in. Figure 3 shows the basic code you need on an ASP site to enable Passport. The simplest page to enable secure sign-in using ASP is not much more complicated (see Figure 4). Note that there are more parameters to be used, the page is redirected to HTTPS, SecureLevel is set to 100, and the TimeWindow is set to 10,000 seconds so that it's not too small.

Figure 4 Secure Sign-in using ASP

<% Dim passportManager Dim strLogoTag 'We will use it for Passport 'generated HTML for "Sign-in" button. Dim redirectUR 'URL where Login server redirects. Dim TimeWindow 'interval during which the user 'must have last signed in Dim ForceLogin 'force user to relogin, if the timeout expired Dim bSecure 'if True button's image will also 'be served through HTTPS Dim SecureLevel 'Declares one of three security levels TimeWindow = 10000 ForceLogin = False bSecure = True 'HTTPS for image SecureLevel = 100 'Secure Sign-in with PIN 'Create Passport Manager object passportManager = Server.CreateObject("Passport.Manager") 'Create URL of redirection page 'We will be redirected back to this page 'and you can redirect to any page you'd like. redirectURL = Server.UrlEncode("https://" & _ Request.ServerVariables("SERVER_NAME") & _ Request.ServerVariables("SCRIPT_NAME")) 'For simplicity sake we are skipping some of the parameters. 'We will use only ones that are relevant to our discussion strLogoTag = passportManager.LogoTag2(redirectURL, TimeWindow, , , , bSecure, , , SecureLevel) 'Present Sign-in button for the user Response.Write(strLogoTag) %>

Figure 3 Standard Sign-in using ASP

<% Dim passportManager Dim strLogoTag 'We will use it for Passport 'generated HTML for "Sign-in" button. Dim redirectURL 'URL where Login server redirects. Set passportManager = Server.CreateObject("Passport.Manager") 'We will be redirected back to this page 'and you can redirect to any page you'd like. redirectURL = Server.URLEncode("https://" & _ Request.ServerVariables("SERVER_NAME") & _ Request.ServerVariables("SCRIPT_NAME")) strLogoTag = passportManager.LogoTag2(redirectURL) Response.Write(strLogoTag) %>

Developing in ASP.NET

Now take a look at how ASP.NET uses the .NET Framework to implement secure sign-in. The code, shown in Figure 5, is almost identical to secure sign-in with the PassportManager object. The few changes include a directive to import the namespace System.Web.Security, and a change in the declaration of the passportManager variable. Instead of initializing passportManager with a call to CreateObject, the code now calls New PassportIdentity. Finally, note that you must provide parameters for the login function so that .NET can properly determine which overloaded function should be used.

Figure 5 Secure Sign-in using ASP.NET

Imports System.Web.Security Public Class WebForm1 Inherits System.Web.UI.Page Private Sub Page_Load(ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles MyBase.Load Dim passportManager As PassportIdentity Dim strLogoTag As String 'We will use it for Passport 'generated HTML for "Sign-in" button. Dim redirectURL As String 'URL where Login server redirects. Dim TimeWindow As Integer 'interval during which 'the user must have last signed in Dim ForceLogin As Boolean 'force user to re-login, 'if the timeout expired Dim bSecure As Integer 'if True button's image 'will also be served through HTTPS Dim SecureLevel As Integer 'Declares one of three security levels TimeWindow = 10000 ForceLogin = False bSecure = True 'HTTPS for image SecureLevel = 100 'Secure Sign-in with PIN 'Create Passport Manager object passportManager = New PassportIdentity() 'Create URL of redirection page 'We will be redirected back to this page 'and you can redirect to any page you'd like. redirectURL = Server.UrlEncode("https://" & _ Request.ServerVariables("SERVER_NAME") & _ Request.ServerVariables("SCRIPT_NAME")) 'For simplicity sake we are defaulting some of the parameters. 'We will use only ones that are relevant to our discussion strLogoTag = passportManager.LogoTag2(redirectURL, TimeWindow, -1, Nothing, -1, bSecure, Nothing, -1, SecureLevel) 'Present Sign-in button for the user Response.Write(strLogoTag) End Sub End Class

Applying Passport to the Real World

A simple example of Passport-aware site might have only two pages. For instance, I could have LoginPage.asp and DoBusinessPage.asp on my site. In LoginPage.asp, I would authenticate users and redirect them to DoBusinessPage.asp. If an unauthenticated user somehow ends up on DoBusinessPage, he would be redirected to LoginPage. Here's pseudocode for LoginPage.asp:

••• 'Authenticate user and redirect to DoBusinessPage.asp Response.Write(passportManager.LogoTag2("https://localhost/ MyBusiness/DoBusinessPage.asp")) •••

Here's the pseudocode for DoBusinessPage.asp:

••• If Not passportManager.IsAuthenticated() Then 'Redirect user to login page Response.Redirect("https://localhost/MyBusiness/LoginPage.asp") Else 'Do business with the user •••

Of course, sites rarely have just two pages. Most minimal e-commerce sites have multiple pages for shopping cart, order status, order history, and so on. You should include Passport authentication functionality on each of these pages if individualized authentication is required. The Passport Adventure Works sample site makes clever use of the include directive, putting the authentication file into each ASP page that needs it, like so:

<!-- #INCLUDE File="https://localhost/MyBusiness/LoginPage.asp" -->

In ASP.NET, you could develop the authentication module the same way, then call it in the Page_Load event of each Web Form that requires authentication. You must also make sure that the AUTHENTICATION section of your Web.config file is set to use Passport, like so:

<!-- AUTHENTICATION This section sets the authentication policies of the application. Possible modes are "Windows", "Forms", "Passport" and "None" --> <authentication mode="Passport" /> https://localhost/MyBusiness/Login.vb

Figure 6 shows a more complete implementation of Passport authentication for an ASP.NET site. Once you've implemented this Login module, you can easily call it wherever necessary, as you can see in Figure 7.

Figure 7 Calling the Login Module

Imports System.Web.Security Public Class DoBusinessWebForm Inherits System.Web.UI.Page Private Sub Page_Load(ByVal sender As System.Object, ByVal e As _ System.EventArgs) Handles MyBase.Load if(Not Authenticated(Request, Response, Server)) Response.Write("Click the .NET Passport logo to sign in.") Else Response.Write("You made it to our business page") End If End Sub End Class

Figure 6 More Complete ASP.NET Implementation

'An example of separating login functionality from your pages. This would 'help you to localize all the login functionality in one place Imports System.Web.Security 'Namespace containing .NET wrapper for 'PassportManager object Imports System.Globalization 'This namespace helps to globalize your site Module Login 'Function Authenticated(...) returns True, if user is authenticated 'If user is NOT authenticated it displays "Sign-In" button on the page 'that calls it. As an alternative you can change this function to 'return String that would contain "Sign-In"'s button HTML fragment. 'Later would give you better control of the button's placement on 'your page. Public Function Authenticated(ByVal Request As HttpRequest, ByVal _ Response As HttpResponse, ByVal Server As HttpServerUtility) _ As Boolean Dim passportManager As PassportIdentity Dim strLogoTag As String 'We will use it for Passport generated 'HTML for "Sign-in" button. Dim redirectURL As String 'URL where Login server redirects. Dim TimeWindow As Integer 'interval in seconds during which 'the user must have last signed in Dim ForceLogin As Integer 'force user to re-login, if the timeout 'expired Dim bSecure As Integer 'if True button's image will also be 'served through HTTPS Dim SecureLevel As Integer 'Declares one of three security levels Dim coBrandArgs As String Dim lang_id As Integer Dim sNameSpace As String Dim KPP As Integer Dim redirectPrefix As String ForceLogin = False coBrandArgs = Nothing sNameSpace = Nothing KPP = -1 'Figure out language id 'If your locale option is not "English(United Sates)" 'and you get text ".NET Passport" in place of the 'localized button than the button is not available in your locale. Dim Culture = New CultureInfo(Request.UserLanguages(0)) lang_id = Culture.LCID() ' Check if over SSL If Request.ServerVariables("HTTPS") = "on" Then 'Page was served over SSL and we are going 'to use highest security level bSecure = True TimeWindow = 10000 'Longer time window is fine as SSL generally 'eliminates opportunity for replay attacks SecureLevel = 100 'Note once we have changed the security level we MUST use HTTPS redirectPrefix = "https://" Else bSecure = False TimeWindow = 300 'Shorter time window to increase security of 'Standard Sign In SecureLevel = 1 redirectPrefix = "https://" End If passportManager = New PassportIdentity() 'We will be redirected back to the page that has called 'this function - this is common practice for Sign-in. 'However you can redirect to any page you would like. redirectURL = Server.UrlEncode(redirectPrefix & _ Request.ServerVariables("SERVER_NAME") & _ Request.ServerVariables("SCRIPT_NAME")) If passportManager.IsAuthenticated() Then ' User is already signed in. we do not have to do anything Return True ElseIf passportManager.HasTicket Then 'Passport Ticket is present, but stale. Refresh it. passportManager.LoginUser(redirectURL, TimeWindow, _ ForceLogin, coBrandArgs, lang_id, sNameSpace, _ KPP, SecureLevel, Nothing) Else 'User is not Signed-in 'Lines below display Passport "Sign In" button Response.Write(passportManager.LogoTag2(redirectURL, _ TimeWindow, ForceLogin, coBrandArgs, lang_id, bSecure, _ sNameSpace, KPP, SecureLevel)) Return False End If End Function 'Do not forget to provide Sign-out functionality for your site 'as described in Passport SDK Help file. 'Another way to Sign-out would be to close your browser. End Module

Conclusion

Secure Passport authentication is possible on your site, and in fact doesn't take as much extra work as you might think. You need to get a valid certificate (details can be found in the Step-by-Step Guide to Certificate Service Web Pages), and make sure that your Web server is set up to serve SSL pages. From there you can use both ASP and ASP.NET to keep your customers' data secure even as Passport sign-in makes their experience smoother. For more information on Passport, see the .NET Passport Service Guide Kit.

For related articles see:
Handling Passwords

Michael Kogotkov-Lisinis a Senior Software Development Consultant with Microsoft Consulting Services. He specializes in .NET and SQL Server development. In his free time, he enjoys catching up with the ever-changing technology. You can reach Michael at mkogotk@hotmail.com.