Todd Bishop at the Seattle Post Intelligencer published this article this morning:

SAN JOSE, Calif. — Microsoft Corp. is set to take another crack at creating a uniform way for people to log on to Web sites, conduct transactions and prove their identities online.

Code-named InfoCard, the project will be outlined by Microsoft executives at the RSA computer security conference here this week. It reflects a change in approach for the company after its Passport initiative fell far short of the original goal of becoming a universal method of identification on the Internet.

Unlike Passport, the InfoCard project is meant to work with a variety of online identity providers, not just one. Microsoft hopes to persuade governmental agencies, banks, online services and others to issue digital cards that people could use to establish different levels of identity for themselves at online sites.

The project is only one of many approaches to online identity across the industry, and analysts say Microsoft faces significant challenges as it tries to make InfoCard widely used. But it's one of the company's biggest moves in the field since Passport's launch more than five years ago.

Passport remains in place, but primarily as an identity service for Microsoft sites, not as a central identity provider for accessing sites across the Internet.

“No one has sufficient trust of any one organization to put all their eggs in that one basket,” explained Richard Turner, program manager for Microsoft's Web services strategy, calling it a lesson learned by the company. “There will be multiple issuers of identity out there on the Internet. Passport is just one of those.”

Reflecting that notion, Microsoft's InfoCard project creates a program akin to a virtual wallet on the PC, designed to let people securely store and distribute various forms of online identification, represented on-screen as cards.

The company says users would log in to a site by clicking on one of the cards, reducing the need to type in a user name and password. The InfoCard program would securely retrieve the necessary digital credentials from an identity provider, then forward them to the site to authenticate the user's identity.

People would be able to create their own virtual cards inside the program for submitting basic log-in information to Web sites.

But Microsoft's InfoCard concept also faces competition. A variety of alternative approaches are expected to be on display at this week's conference.

In the latest example, VeriSign said Monday that eBay and Yahoo! had signed on as supporters of its new online authentication system, the VeriSign Identity Protection Network, which will include keychain-based tokens that generate passwords to be entered as part of the online authentication process.

For Microsoft's InfoCard project to work, the company would need to attract the interest of a variety of online identity providers and online sites that need to authenticate user identity. Turner says the company has received positive responses during discussions in recent months.

But not everyone is convinced that the concept will take off as Microsoft hopes.

“There has to be a few widely accepted cards — kind of the Visa and MasterCard of the identity world — and it's not clear that anyone wants that job,” said analyst Rob Helm, research director at Kirkland-based research firm Directions on Microsoft.

At the same time, Microsoft is in a more influential position than most because of the wide availability of its Windows PC operating system. The underlying software for InfoCard will be available as part of Windows Vista, due out later this year, and it's expected to be accessible through the company's Internet Explorer 7 browser. It will also be offered as an add-on for the current Windows XP.

The company also has set up its new WinFX software development system to let outside programmers incorporate InfoCard into Windows-based programs.

Microsoft's concept of a virtual wallet where people can select and control their online identities makes sense for individual computer users, said Roger Sullivan, vice president of the Liberty Alliance, a digital identity consortium formed in part out of concerns over Microsoft's original Passport vision.

But Sullivan, who is also vice president of business development for Oracle Corp.’s identity management solutions, said he believes stronger authentication would be needed “in the context of large-scale, serious business transactions.” The Liberty Alliance focuses on standards for managing identity across different companies.

Microsoft acknowledged that InfoCard and the Liberty Alliance approach “address different parts of the digital identity problem.”

Microsoft has shown and distributed the InfoCard technology to developers, but it hopes to start winning broader industry support this week at the RSA security conference, where company Chairman Bill Gates is scheduled to give a keynote address this morning. Kim Cameron, Microsoft's architect for identity technology, is scheduled to discuss InfoCard and related concepts at two sessions during the week.

The company says it has incorporated a variety of security protections into the InfoCard system. The program runs in a secure on-screen overlay separate from the standard PC desktop, reducing the chances of infiltration by spyware or other online threats. Also, the cards from identity providers wouldn't store sensitive data on the PC. Instead, they would provide a way of retrieving data from those providers when needed, cutting the potential security risk.

At the same time, the company says it doesn't want InfoCard to be the only program of its kind. The program uses non-proprietary communications standards, and Microsoft says it would like to see the people and companies behind other operating systems, such as Linux and Apple's Mac OS X, create their own programs similar to InfoCard, to make the approach more common.

The approach “essentially adds an identity layer to the Internet,” said Microsoft's Turner, calling such a layer sorely needed in today's online world.


Microsoft's InfoCard is a virtual representation of a person's various online identities in an on-screen program that runs in a secure overlay separate from the regular PC desktop.

Under the company's plan, computer users would create some cards for themselves, entering information for logging into Web sites. Other cards would be distributed by identity providers — such as banks or governmental agencies or online services — for secure online authentication of a person's identity.

To log in to a site, computer users would open the InfoCard program directly, or using Microsoft's Internet Explorer browser, and then click on the card that matches the level of information required by the site. The InfoCard program would then retrieve the necessary credentials from the identity provider, in the form of a secure digital token. The InfoCard program would then transmit the digital token to the site to authenticate the person's identity.

RSA 2006

Follow the news from the RSA security conference in San Jose, Calif., this week in the Seattle P-I and on Todd Bishop's Microsoft blog.

Published by

Kim Cameron

Work on identity.