Q&A: Advancing Identity Security on the Internet with “InfoCard” Technology

REDMOND, Wash., Feb. 14, 2006 – As the Internet plays an increasingly vital role in day-to-day consumer and business activities, concerns about online identity theft, fraud and privacy continue to escalate. Various organizations, businesses and federal regulators are calling for measures that help prevent the exploitation of personal information, such as passwords and credit card numbers. Many industry observers today worry that traditional authentication methods based on account names and passwords have grown inadequate for online activities, since they can be misused to extort personal information through “phishing” schemes. Current authentication methods also require consumers to maintain an ever-lengthening list of passwords, which can encourage insecure practices such as reusing account names and passwords across multiple Web sites.

The need for advanced online identity protection has prompted the industry to rethink the way digital identity is managed online. It also served as a catalyst for developing a new identity architecture known as the “identity metasystem,” which is designed to capitalize on and interoperate with various identity systems. Within the next year, Microsoft plans to release a set of technologies built on the identity metasystem, including “InfoCard,” the code name for a technology designed to simplify and improve the safety of accessing resources and sharing personal information on the Internet; and a new version of the Active Directory directory service, which will include an identity provider that integrates with the identity metasystem.

Microsoft Chairman and Chief Software Architect Bill Gates demonstrated “InfoCard” technology today during his keynote address at the RSA Conference 2006 in San Jose, Calif. Gates also announced that the latest versions of the company’s browser, Internet Explorer 7, will include support for “InfoCard.” 

PressPass sat down with Richard Turner, product manager for “InfoCard” at Microsoft, to learn more about the technology’s potential impact on identity security and why browser support for “InfoCard” is key to addressing the problem of online fraud.

PressPass: How does “InfoCard” technology address the challenge of online identity security?

Turner: We developed “InfoCard” in an effort to alleviate some of the problems that people face today in terms of online identity abuse. It’s currently very difficult for Internet users who aren’t tech-savvy to know whether the Web sites they’re visiting are dangerous, or whether they’re interacting with third parties who might be malicious. “InfoCard” reduces the reliance on username/password authentication with cryptographically strong claims-based authentication, helping to mitigate the risks of the most commonly deployed identity attacks and reducing the likelihood of personal information being lost via phishing schemes. We believe this is an important step in providing users with a safer, more secure online experience.

PressPass: What exactly is the identity metasystem, and what does it seek to accomplish?

Turner: The identity metasystem is a standards-based architecture for managing identity information on the Internet. Today, people are required to use multiple identities on the Internet. For example, a person might use one ID to identify themselves to their online email provider, another ID when logging into their frequent flyer account, and so forth. This reality, coupled with the fact that digital identities are based on various underlying technologies, implementations and providers contributed to the design goals of the identity metasystem. The metasystem takes a new approach to identity management on the Internet in several ways. First, it doesn’t store any personal information. This ensures that individual identity providers can decide how and where to store that information. Second, the identity metasystem provides an open architecture based on industry standard Web services, meaning that all identity providers can coexist with one another and have equal status within the metasystem. Finally, the open architecture of the identity metasystem also ensures that users remain at the center of all conversations, so that they remain in control of the release of their identity to parties they choose and trust.

PressPass: How does “InfoCard” technology fit into the identity metasystem?

Turner: “InfoCard” provides the consistent user experience required by the identity metasystem. It serves as a container, or selector, for a person’s digital identities. The benefit to the user is that this abstracts away the complexities of having to remember multiple digital identities on the Internet. “InfoCard” manifests as a sleek user interface, with individual cards represented graphically much like mini-ID cards. For example, you might have a card from a certain hotel chain identifying you as a preferred customer, a card issued by an airline identifying you as a frequent flier, a card issued by your employer, an online bank card and so forth. In addition to cards issued by trusted providers, a user can also create self-issued cards. Acting as the central agent in the conversation, “InfoCard” lets you choose the identity that’s appropriate to each transaction, gathers that card’s details from the issuing party, and coordinates sending a set of security claims, held within an identity token, to the Web site you’re dealing with, which we call the relying party. It’s important to note that all communications carried out by “InfoCard” use standards-based Web services protocols to ensure interoperability. That means anyone on any technology platform could build the infrastructure for a relying party or an issuing party, or even an identity selector like “InfoCard.”

PressPass: What’s the significance of Internet Explorer 7 providing support for “InfoCard” technology?

Turner: By adding “InfoCard” support to Internet Explorer 7, we’re integrating support for the identity metasystem straight to the user’s browser, as well as providing the means by which application developers can use “InfoCard” from within their own applications. Online fraud, phishing and various other forms of identity attack are among the biggest problems that Internet users face today. With Internet Explorer 7, we wanted to greatly reduce the possibility for someone’s identity to be compromised. To achieve that goal, the browser itself includes new features that, for example, help users recognize whether the Web sites they visit are known phishing sites, and alert users if a certain site is trying to download malicious software onto their PC. “InfoCard” technology adds an extra element of safety by providing a simple, secure and consistent experience that gives users control over the release of their identity information. This enables people to rely less on manually typing user names, passwords, and other identity-related information to access and interact with Web sites.

PressPass: Why is browser support of “InfoCard” important to solving the problem of online identity abuse?

Turner: “InfoCard” is largely about the Web-browser experience because that’s the primary way users interact with the Internet, and, not coincidentally, that’s where most identity fraud occurs. For example, many phishing scams trick customers into entering identity-related information like passwords and account information into fraudulent Web sites. These situations are caused largely by the fact that it’s not obvious to customers when they’re visiting a fraudulent site. We’re adding several features in Internet Explorer 7 that help alleviate fraud, such as a Phishing Filter, which warns customers about malicious Web sites. Separate technologies, such as Microsoft Windows Defender, help prevent malware from reaching PCs, while Microsoft OneCare protects PCs against viruses and detects malware. But users sometimes perform inadvertent actions that can result in identity abuse. By integrating “InfoCard” technology in the browser experience, we aim to simplify and improve the safety of accessing resources and sharing personal information on the Internet. We’re helping people be more confident that when they use the advanced features of Internet Explorer 7 along with fully integrated support for “InfoCard,” their identities are more secure than ever.

PressPass: What are the intended scenarios for “InfoCard” with Internet Explorer 7?

Turner: Essentially, “InfoCard” can play a role in any scenario where you’re browsing the Internet and you need to securely identify yourself in order to complete a given task, such as logging into a Web site, checking accounts, selling items, etc. In any scenario where you need to submit your identity in a secure manner to a third party on the Internet, “InfoCard” can be an easier choice than using a username/password or manually entering data into fields. This experience will be heightened in Internet Explorer 7 by means of the features I mentioned earlier, which add more value on top of protecting the user’s identity.

PressPass: What impact do you think “InfoCard” technology might have on consumers?

Turner: For the consumer, the biggest impact we foresee is increased confidence when browsing the Web, and having more visual cues available to help identify that the Web sites they’re visiting are the Web sites they intend to be visiting. Also, consumers can feel more confident knowing that their digital identity is stored securely and managed securely through “InfoCard,” and is not being inadvertently leaked or stolen. Another benefit for consumers is having a consistent and trusted user experience across Web sites. Today, there are many inconsistent ways of logging into Web sites. Many require different credentials, and virtually all forms of log-in are different. Whereas with “InfoCard,” you get the same look and feel each time. Plus you have the same level of control, regardless of which Web site you’re visiting and what you’re doing. For example, whether consumers log in with “InfoCard” or confirm a booking with “InfoCard,” they retain the same level of control over their identities.

PressPass: How do you believe the identity metasystem and “InfoCard” technology will affect developers and IT professionals?  

Turner: The main effect will be improved productivity, because the amount of time and effort required to build an effective identity-management solution is often colossal. With “InfoCard,” the developer simply adds a couple of tags to a couple of Web pages. This is intended to save them significant time, effort and money. Another advantage for developers and IT pros is the ease of developing applications and services using “InfoCard” technology and Windows Communication Foundation (WCF). We expect that developers will find that this model drastically reduces the amount of code required to enable secure identity features. Besides having to write a lot less code, they are likely to spend less time on deploying their solution and training people to use and support it. Over time, we expect that IT departments will build up a user base accustomed to the “InfoCard” experience. That consistency eases ongoing maintenance.

PressPass: What opportunities do you foresee for online merchants?

Turner: Online merchants that support “InfoCard” will be able to offer their customers improved security by providing applications that help protect users’ identities. They can also offer customers greater overall confidence by delivering applications that provide a standards-based, consistent identity model. In addition, online vendors can save time and effort involved in writing their own security infrastructure by supporting “InfoCard” technology.

PressPass: What’s the relationship between “InfoCard” and WinFX, the new programming model that Microsoft developed for Windows Vista?

Turner: “InfoCard” technology is part of WinFX – our next-generation programming model that also encompasses Windows Communication Foundation, Windows Presentation Foundation and Windows Workflow Foundation. Because WCF has explicit support for “InfoCard” technology, Web-services applications built using WinFX are quite easy to secure. As a result, application developers can provide users with a secure identity experience using very little code and effort.

PressPass: How do “InfoCard” technology and the identity metasystem align with Microsoft’s Active Directory roadmap?

Turner: Today at RSA, we’re announcing that Windows Active Directory will support “InfoCard” technology and identity metasystem protocols in the near future. New features being added to Active Directory in the Windows Server “Longhorn” wave will support integration with the identity metasystem, and will support issuing and managing “InfoCards” to help businesses establish smooth integration with their customers and partners.  Imagine, for example, that a major electronics outlet runs its business using Active Directory. Ultimately, this company will be able to issue its employees “InfoCards” validating that they are part of that organization. An employee could then use that card when logging onto her employer’s Web site from her home PC to, for example, get her 20-percent corporate discount.

Related Posts