Participating Web sites display an official .NET Passport Sign In link, which Figure 2 shows. When a user clicks the link, the Web site uses the HTTP redirect method to redirect the user's browser to the .NET Passport Login server. The redirect includes a Login-server URL (e.g., http://login.passport.com/login.srf) followed by a query string. The query string starts with a question mark (?) and contains the Web site's language code, ID, return URL, and other data that the Login server needs. The Login server uses the ID and return URL to verify that the Web site is registered with .NET Passport, then displays a standard .NET Passport sign-in page. The Web site can cobrand this page, as Figure 3, page 32, shows. A cobranded sign-in page includes the participating Web site's logo, custom page layout, and other information. (Web sites can also embed the sign-in dialog box within their sites, a method that Microsoft calls inline sign-in.)
The user enters his or her .NET Passport credential (i.e., email address and password) in the .NET Passport Sign-in dialog box. If the user has signed in to .NET Passport before this particular Internet session, the browser remembers and automatically enters the user's email address unless the user selected the I'm using a public computer check box in the Sign-in dialog box, in which case the browser didn't record the email address. If the user selects the Sign me in automatically check box, the browser remembers the user's credentials so that the user won't need to enter a password manually the next time he or she signs in.
After entering the credential, the user clicks Sign In in the Sign-in dialog box. This action creates a user-authentication request, uses the HTTP POST method to post the credential information to the request, establishes an SSL connection with the .NET Passport Login server, then submits the user-authentication request and encrypted credential to the Login server. The sign-in page always communicates with the Login server through SSL, and the participating Web site doesn't receive the credential—only the Login server does.
The Login server then authenticates the credential against the .NET Passport account database and determines whether a database entry matches the credential. If a user enters the wrong password five consecutive times, the Login server locks the account for 5 minutes. After a successful authentication, the Login server extracts the PUID and appropriate user-profile information (according to the information that the user agreed to release to participating Web sites) from the database. The Login server creates five .NET Passport cookies, then writes them to the user's browser so that during the Internet session the server can identify the user's PUID, last sign-in time, a list of the sites to which the user has signed in, the user-profile information, and other user-provided information. The Login server encrypts the PUID, last sign-in time, and user-profile information in the cookies. The Login server then redirects the user's browser to the return URL. The Login server encrypts the PUID and shareable user-profile information through the Web site's .NET Passport—assigned site-encryption key, then adds the encrypted PUID and information to the query string that it sends to the return URL.
The Web site extracts the encrypted PUID and user-profile information from the query string, then uses its site-encryption key to decrypt the information. The Web site then creates and encrypts two site-specific .NET Passport cookies containing the user's PUID, sign-in time, and profile information and writes the cookies to the user's browser. The Web site uses these two cookies during the current session.
After a user successfully signs in to a participating Web site, the site displays the official .NET Passport Sign Out link, which Figure 4 shows. The participating Web site, not .NET Passport, implements authorization or user access to specific resources or services on the site. For security purposes, an authenticated sign-in to a participating Web site has a limited lifetime—4 hours by default. When the lifetime expires, the user must sign in again.
After a user has signed in to .NET Passport at a participating Web site, the user doesn't need to reenter the credential at other participating sites the user visits during the current Internet session, unless the other Web sites require users to reenter sign-in information as an additional security measure. The Login server silently verifies additional sites, determines from the cookies in the user's browser that the user has already signed in, updates the cookies, then sends the encrypted PUID and shareable user-profile information to the additional sites as I described earlier.
To sign out, the user clicks the Sign Out link. The sign-out function instructs the Login server to delete the .NET Passport cookies and initiates a script that asks each visited site to delete the site-specific cookies. All .NET Passport cookies are temporary. Therefore, even if the user doesn't sign out, the user's browser will delete the cookies when the user closes the browser. However, if the user enabled automatic sign-in, he or she must click the Sign Out link to delete the cookies.
No direct communication occurs between a participating Web site and the Login server. All communication takes place through the user's browser (i.e., through HTTP redirects, query strings, and HTTP POST).
Increasing Sign-In Security
.NET Passport calls the basic sign-in procedure I've described a standard sign-in. The standard sign-in contains a security risk: Cookie delivery is through clear text rather than HTTP over Secure Sockets Layer (HTTPS), so an intruder could capture the .NET Passport cookies as they pass from the Login server or Web site to the browser. The intruder could then impersonate a user within the Web site's defined authentication time window, thus performing a replay attack against the Web site. To avoid such a problem, .NET Passport 2.0 (the most recent version at the time of this writing) supports two secure sign-in methods: secure channel sign-in and strong credential sign-in.
