Want CNET to notify you of price drops and the latest stories?

Microsoft to flash Windows ID cards

Developers to get peek at InfoCard tech for ID management in Windows, as Microsoft moves on from much maligned Passport.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
Microsoft is getting ready to provide an early peek at new Windows software that aims to help consumers deal with the plethora of Internet logins.

The Redmond, Wash.-based software giant plans to release a technical preview of the software, code-named InfoCard, by the end of May, Microsoft said. It will also include other technologies designed to make using digital identities easier and safer, Microsoft's senior executive in charge of security, Mike Nash, said Tuesday.

The release is for software developers, who will be asked to give Microsoft feedback on the technology, Nash said during his monthly security Webcast. In addition to InfoCard, Microsoft is also planning preview releases of technologies that it is pitching to enable the various identity systems used on the Internet to work together, he said.


What's new:
Microsoft is getting ready to give developers a peek at its InfoCard identity management software for Windows.

Bottom line:
It's a step forward for InfoCard, Microsoft's second attempt at an authentication technology after its largely failed Passport.

More stories on this topic

"One of the big challenges that people face today is that there are many different kinds of identity systems," said John Shewchuk, an architect in Microsoft's distributed systems group, who was also on the Webcast.

In a similar vein, Microsoft and Sun Microsystems last week demonstrated "single sign-on" software under development that's designed to let someone log in once to use network services that previously required separate authentications.

InfoCard will be the most visible of Microsoft's efforts to PC users. It is designed to provide secure storage for identity information that will be shared with online services such as Web stores.

The plans are reminiscent of Microsoft's largely failed efforts with Passport, a single sign-on service it unveiled in 1999. InfoCard is a new attempt, one that could address the complaint many critics had with Passport, which was that people's information was managed by Microsoft instead of by the users themselves and the businesses they dealt with.

The developer preview is important as Microsoft moves from just talk to actually sharing some of the work in progress.

How will it work?

InfoCard on your PC will hold personal data such as login names, passwords and information for making payments. This example deals with buying a CD online with a Web store and bank that support the technology.

• InfoCard takes care of logging you in to the online music store.

• After you place an order, the store connects with InfoCard on your PC using Web services.

• You're then prompted with a request to choose how you want to pay. This is based on the information InfoCard holds for you, which could include credit card or bank account numbers. Personal data, such as the credit card information, can be stored on your PC or at sites that you authorize.

• Once you've selected how you will pay, your PC will connect with the bank or credit card issuer and request payment to the music store.

• The store will get confirmation that it will be paid either directly from the bank or credit card company or through you. The store will never have seen your financial information.

InfoCard holds payment authorization and details in the same way that a wallet holds credit cards, according to the software maker. "It makes it supereasy for the end user to pick among their different kinds of credentials," Shewchuk said.

With InfoCard, the online buying experience would change. When a user buys a book online, for example, the Web store would ping the user's InfoCard application on the user's PC for payment. The user then authorizes payment, which is routed to the applicable financial institution. The bookstore does not need to know the user's credit card number or financial data.

For InfoCard to work well, commerce Web sites will need to adopt the technology, as will other businesses, such as credit card companies and banks, Microsoft said.

But InfoCard's use will not be limited to storing and supplying ID information for making online payments or logging in to Web sites, Microsoft said. In addition, the first version will also support other authentication technologies, such as the x509 certificates used for smart cards, according to Shewchuk.

Insiders expect InfoCard to be part of Longhorn, the next major release of Windows due next year, but Michael Stephenson, a director in

Microsoft's Windows Server group, said the company does not yet have concrete delivery plans for the technology.

When it pitched Passport six years ago, Microsoft envisioned thousands of online stores and other services using the system, which would let people sign on using the same username and password used for Microsoft services.

The market largely rejected Passport as the system's security was tested by hackers and scrutinized by privacy watchers who did not like the idea of Microsoft holding user information in its own databases. Potential partners, such as e-commerce sites, also balked at the idea.

Regulators in the U.S. and Europe eventually put restrictions on Microsoft and Passport, which today is used primarily as a login system for Microsoft services.

InfoCard is different than Passport, said Jonathan Penn, an analyst at Forrester Research. "They have learned their lesson. With InfoCard the controls are supposed to be put in the user's hands," he said.

The authentication technology is part of a larger Microsoft identity management plan. Last week at the Digital ID World conference in San Francisco, executives described the company's Identity Metasystem. This architecture is designed to lie on top of the patchwork of identity systems that exist on the Internet, to make it possible for them to talk to one another.

The Identity Metasystem will support all the major identity technologies, Microsoft said. This includes some that have been developed by traditional Microsoft rivals, such as SAML, or Security Assertions Markup Language, which includes the Liberty Alliance specifications for identity federation.

Though Microsoft may have tackled, in its new ID management effort, the stumbling block that stymied its Passport push, the new technology could run into a different sort of problem, Penn said.

"Microsoft is not going to be holding your credentials, but they are developing a system upon which the security of your credentials is reliant," Penn said. "InfoCard is going to be one of those services that hackers are going to try to get part of."