Microsoft addresses Passport security fears

Microsoft began notifying Passport users Monday night of changes that will give them more control over their accounts as well as increased privacy and security.

The changes could eliminate two of the biggest customer gripes against Passport: That users can create accounts using bogus email addresses and that users cannot easily cancel accounts they no longer wish to keep.

Independent security analyst Richard Smith said: "Microsoft is just trying to clean up stuff. They're fixing some problems here in what is a natural evolution of Passport."

The software giant will begin making the account changes immediately but expects it to take several weeks before all Passport holders will have access to the new features.

The first change only affects new account holders, who will no longer be able use a bogus email address to establish a Passport profile. Microsoft requires consumers to use an email address as their Passport ID, but had not mandated that the address be legitimate or belong to the account holder.

Consumers signing up for new Passports will now receive an email that requires them to validate receipt of the message to permanently establish the account.

A second change could bolster Passport security. Microsoft is moving all the information viewed in a web browser, such as the login page or member services, to servers hosted in a domain separate from the authentication components. That information would come from passport.net rather than passport.com. The two-domain mechanism will also eliminate the long, hard-to-decipher URL the user sees in the browser's web address bar.

Eliminating the long URLs is an important security enhancement, Smith said. "It's good that all that gobbledygook goes away because it makes it more difficult for the bad guys to redirect you to what appears to be a legitimate Passport site but is not."

The final change addresses one of the biggest gripes made about Passport, by consumers, privacy groups and even during Microsoft's antitrust case: account cancellation.

In theory, an account can be closed through Passport customer service, but some users have complained this isn't easy to do.

Microsoft will now provide a tool that will let Passport holders cancel their accounts online.