|
| |
|
Shopping Security with Passport Express Purchase |
|
|
|
 |
|
|
Time Windows
Like any site using the Microsoft® Passport
single sign-in (SSI) service, the Passport express purchase (EP) service
uses time windows to check sign-in credentials, in order to prevent replay
attacks and other security threats. While the user is connected to the
Passport EP service, three different time windows protect the user's
security while maintaining an easy user experience. If any of these time
windows is exceeded, the standard Passport sign-in form is displayed and the
users must manually sign in again to continue. You may want to make users
aware of these time windows when connecting them to Passport EP; time-window
and security requirements are also documented for users on the Passport EP
service itself.
The three time windows are:
-
Basic window: 5 minutes.
This window is checked when the user arrives at the Passport EP service.
This represents the maximum amount of time that is allowed since the last
Passport sign-in at the Login server. If less than five minutes, the
refresh can be done silently. If over five minutes, the Wallet server
forces the user to sign in again.
-
Transaction time window: 10 minutes.
After the basic time window is satisfied, a user has a
ten-minute window in which to complete all requested transactions with the
participant site that referred him to the EP service. This allows adequate
time to make multiple purchases from the same participant site. This timer
is reset with every new page view, and also when the user clicks the
Continue or Cancel button to return to that specific
participant site.
-
Activity time window: 15 minutes.
After the initial sign-in to Passport EP, the activity
window allows fifteen minutes of continuous use of the wallet without
requiring the user to sign in again. This time allows for initial wallet
creation or editing. This timer is reset with every new page view, and
also when the user clicks the Continue or Cancel button to
return to a participant site.
|
Secure
Sockets Layer
SSL (Secure Sockets Layer) enables the exchange of
personal user data in a secure manner. It is an absolute requirement that
each participant site be capable of serving SSL pages, images and other
material in order to send users to the Passport EP service and to obtain
transaction information from users. SSL is not a Microsoft-specific
technology and is widely used in current e-commerce applications. SSL is
compatible with all major browsers (version 3 or later).
|
Card Numbers Not Fully Displayed
After a user's card number has been entered initially, the
user's full card number is never displayed again on Passport EP service
pages, unless a new card number is being entered. Instead, only the first
six digits are displayed. This prevents card numbers from being viewable on
screen by others in public places, in most situations.
|
|
