Microsoft offers personal digital ID cards
Amid growing concerns and real-world problems with identity management and theft, Microsoft is one again trying to tackle the complex issue of ID cards and digital ID management with Vista and CardSpace.
Identity and the internet are not words that sit well together to many people. The internet has changed the way people interact with systems for work and leisure.
People are increasingly able to log into their office computers from anywhere in the world. At the same time, they are taking advantage of online shopping to order cheaper goods and using online banking to avoid charges and the problems of getting to banks.
The problem with all of this is identity. How do you prove who you are? How does your office server know to trust you? How can you be sure that the site you are connecting to is legitimate? Identity theft via the internet is a global business and affects both individuals and businesses.
Every month brings reports of new phishing sites that are trying to get hold of your details. This is causing chaos for users and businesses and has resulted in something of a crisis of confidence in the security of the internet. Changing passwords regularly is no guarantee of safety as keyboard logging software will harvest the password right from your machine. What has been missing is a solution that is immune from the bad guys but at the same time is simple and easy to use.
The role of InfoCard
Microsoft has been active in InfoCard from the start and recently revamped and renamed its InfoCard product to Microsoft CardSpace. It will introduce CardSpace with Windows Vista and provide versions for Windows XP and Windows Server 2003.
One of the things underpinning InfoCard is something called the Laws of Identity. These are:
Like all "laws" there is a lot of detail hidden by these headings. In a nutshell what this means is that:
The problem with most computer solutions is that they end up being pretty complicated. The designers of InfoCard have designed a solution that is pretty simple to make sense of. There are two ways of using the service - with a self issued card or one provided by a third party such as your employer, bank or similar. You then go through a simple process to identify yourself.
Cards issued to you
Most of this is done behind the scene with the user having to simply connect to the RP, choose a card and then provide their authentication if this is an issued card. All of the communication is done over secure internet connections. You don't type anything other than your authentication code if required leaving little or nothing for the hacker to steal. What could be simpler?
This is where the whole InfoCard project shows its strength. The fact that you can create your own InfoCards rather than go through third parties allows you to create as many digital identities as you want. People are used to having different personas or identities when they access various internet systems and InfoCard does not change that approach.
InfoCard has another key advantage. When the RP sends back what information is needs, you get to see what data it is requesting and you can, if you wish, simply create an InfoCard for that particular service.
InfoCard and its role in IT policy
So what is Microsoft adding to InfoCard under its CardSpace banner?
Whenever the user is working with an InfoCard they will find themselves put into a separate desktop and using a very restricted account. You will not be able to move between your normal desktop and the CardSpace environment. This will make it exceptionally hard for hackers to try and screen grab or harvest passwords using keystroke logging software.
What you will have to do is upgrade to Internet Explorer 7, which automatically recognises InfoCard requests and this might just be a sticking point for many on Windows XP.
Alongside this is the need for developers to understand how to write systems that will accept InfoCards. Microsoft is currently pushing out a lot of information on its MSDN web site about how to do this. Ultimately, this might be the limiting factor in the adoption of InfoCard and CardSpace services. Developers don't like messing with authentication mechanisms and corporate IT departments get very nervous about the thought of weakening security.
For once, those concerns need to be overridden and pilot projects started. This really does have the ability to improve security and Microsoft is already talking to a number of online retailers about adding InfoCard support to their web sites.