IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft offers personal digital ID cards

Amid growing concerns and real-world problems with identity management and theft, Microsoft is one again trying to tackle the complex issue of ID cards and digital ID management with Vista and CardSpace.

Identity and the internet are not words that sit well together to many people. The internet has changed the way people interact with systems for work and leisure.

People are increasingly able to log into their office computers from anywhere in the world. At the same time, they are taking advantage of online shopping to order cheaper goods and using online banking to avoid charges and the problems of getting to banks.

The problem with all of this is identity. How do you prove who you are? How does your office server know to trust you? How can you be sure that the site you are connecting to is legitimate? Identity theft via the internet is a global business and affects both individuals and businesses.

Every month brings reports of new phishing sites that are trying to get hold of your details. This is causing chaos for users and businesses and has resulted in something of a crisis of confidence in the security of the internet. Changing passwords regularly is no guarantee of safety as keyboard logging software will harvest the password right from your machine. What has been missing is a solution that is immune from the bad guys but at the same time is simple and easy to use.

The role of InfoCard

Microsoft has been active in InfoCard from the start and recently revamped and renamed its InfoCard product to Microsoft CardSpace. It will introduce CardSpace with Windows Vista and provide versions for Windows XP and Windows Server 2003.

One of the things underpinning InfoCard is something called the Laws of Identity. These are:

Like all "laws" there is a lot of detail hidden by these headings. In a nutshell what this means is that:

The problem with most computer solutions is that they end up being pretty complicated. The designers of InfoCard have designed a solution that is pretty simple to make sense of. There are two ways of using the service - with a self issued card or one provided by a third party such as your employer, bank or similar. You then go through a simple process to identify yourself.

Self-issued cards

Cards issued to you

Most of this is done behind the scene with the user having to simply connect to the RP, choose a card and then provide their authentication if this is an issued card. All of the communication is done over secure internet connections. You don't type anything other than your authentication code if required leaving little or nothing for the hacker to steal. What could be simpler?

This is where the whole InfoCard project shows its strength. The fact that you can create your own InfoCards rather than go through third parties allows you to create as many digital identities as you want. People are used to having different personas or identities when they access various internet systems and InfoCard does not change that approach.

InfoCard has another key advantage. When the RP sends back what information is needs, you get to see what data it is requesting and you can, if you wish, simply create an InfoCard for that particular service.

InfoCard and its role in IT policy

So what is Microsoft adding to InfoCard under its CardSpace banner?

Whenever the user is working with an InfoCard they will find themselves put into a separate desktop and using a very restricted account. You will not be able to move between your normal desktop and the CardSpace environment. This will make it exceptionally hard for hackers to try and screen grab or harvest passwords using keystroke logging software.

What you will have to do is upgrade to Internet Explorer 7, which automatically recognises InfoCard requests and this might just be a sticking point for many on Windows XP.

Alongside this is the need for developers to understand how to write systems that will accept InfoCards. Microsoft is currently pushing out a lot of information on its MSDN web site about how to do this. Ultimately, this might be the limiting factor in the adoption of InfoCard and CardSpace services. Developers don't like messing with authentication mechanisms and corporate IT departments get very nervous about the thought of weakening security.

For once, those concerns need to be overridden and pilot projects started. This really does have the ability to improve security and Microsoft is already talking to a number of online retailers about adding InfoCard support to their web sites.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022