• Illustration: Selecting a Card with InfoCard
• Illustration: InfoCard Log-On to Web Services

Better security and user convenience are goals of a forthcoming Windows service code-named InfoCard, a planned user interface for user log-on and data submission to online services. Available in previews of Windows Vista and in the WinFX Runtime Components on Windows XP and Windows Server 2003, InfoCard could help prevent "phishing" thefts of user data and other threats that plague Web-based services today. However, InfoCard will need to recruit developers to deliver compatible client applications and online services, and key support infrastructure is at least two years away.

Consistency for Online Log-On and User Data

InfoCard is a Windows service triggered by a client application whenever a user needs to log on to or submit data to an online service. For example, the user of a mapping application might employ InfoCard to log on to an online service for map data, or to submit a home postal code to the service. To log on or submit data, the user selects from a list of digital "cards" stored on her computer. (See the illustration "Selecting a Card with InfoCard".) Each card represents a set of log-on credentials (e.g., username and password) or a collection of other personal data which the user can submit to a service.

In the simplest case, the user creates all of her own cards, filling each with relevant credentials or user data, then selecting a card that will send credentials or data to services that request them. For example, a user might create a card for a subscription publication site with a username and password for the site. InfoCard stores encrypted data from such self-issued cards on the user's computer.

However, InfoCard also supports cards issued by outside services called identity providers. For example, MSN might act as an identity provider and issue cards for logging on to affiliated e-commerce sites, or a company might serve as an identity provider for its employees and issue them with cards for use on the extranets of the company's business partners. Such a card represents a user account at the identity provider, created through an enrollment process, and user data associated with the card is stored by the identity provider. When the user selects a card, the identity provider authenticates the user (possibly through a log-on dialog box) and, if the log-on is successful, releases the stored user data to the user for submission to an online service.

Identity providers could provide additional services, such as validating user data. For example, an employer acting as an identity provider for its employees could issue cards that verify name and employment status for its employees. Such validation could give online services more confidence in the data that users submit and help protect the online services against user identity theft. This is similar in concept to the validation provided by public certificate authorities, such as Entrust, Thawte, and VeriSign, or by the age-verification services that help filter visitors to adult entertainment sites.

Microsoft's planned Web services messaging technology, the Windows Communication Foundation (WCF, formerly code-named Indigo) will have built-in support for logging on to and submitting data to Web services with InfoCard. Client applications that access Web services via WCF can employ InfoCard through configuration files, with little or no additional code. (See the illustration "InfoCard Log-On to Web Services".)

Security, Convenience Benefits

InfoCard provides several potential benefits, including the following:

Protecting user data. InfoCard provides some safeguards against "phishing" attacks, in which an attacker creates a fake version of a trusted online service (e.g., a banking Web site) to steal the personal data of users. For example, the online service name and logo displayed in the InfoCard selection dialog box must be digitally signed by the service owner. The InfoCard dialog box itself is more difficult to imitate than a Web form in a browser, complicating attacks that depend on imitating the Web user interface of legitimate sites. Also, the InfoCard window runs in an isolated mode that cannot receive Windows messages from other user processes, limiting attacks by viruses or worms that are running on the same client computer under a user's Windows account.

However, phishing will still be possible with InfoCard. For example, to be valid, the digital signature on an online service name and logo must have been created with a high-quality digital certificate, one that comes from a reputable certificate authority which has investigated the online service owner. If InfoCard or its users accept digital signatures from low-quality digital certificates, an attacker could simply sign the name and logo of a bank or other trusted online service with a low-quality certificate to create a legitimate-looking InfoCard dialog box. (This same loophole exists today in "secure" Web sites that use digital certificates with the Hypertext Transfer Protocol over Secure Socket Layer [HTTPS] protocol.)

Consolidation and validation of user accounts. InfoCard potentially enables users to employ a single card from a master identity provider to log on to multiple service providers. This has several benefits: the user doesn't have to retype personal data as often, and the identity provider can potentially validate the user data before they are submitted to online services, protecting the services against user identity theft.

However, user-account consolidation can happen only if trustworthy identity providers emerge and are supported by a large number of service providers and users. This won't happen immediately: the largest online service owners, such as Amazon, eBay, Google, MSN, and Yahoo, all prefer to function as their own identity providers so that they can employ user databases to cross-sell new services.

Client Applications, Services Needed

One obvious obstacle to InfoCard: No current client applications, even from Microsoft, use the InfoCard user interface, and no compatible online services allow InfoCard log-ons. In particular, no Web browser employs InfoCard, so InfoCard can't be used for Web sites, which make up the bulk of online services today. Microsoft has released an InfoCard preview to get developers working on client applications, and Microsoft is reportedly considering building InfoCard support into Internet Explorer (IE) 7, the browser version slated for release in 2006. However, InfoCard support is not in current IE 7 preview builds.

Even if implemented in IE, InfoCard still faces some hurdles. Users already have a number of alternatives to avoid retyping passwords and other user data, including browser forms-completion and browser cookies, which store credentials and data on the user's machine. These are somewhat less secure than InfoCard, but users and online service owners might not be willing to install and learn a new mechanism to get the additional protection.

Similarly, Microsoft Passport and the Liberty Identity Federation Framework (ID-FF) have tried to help consolidate user accounts, either through centralizing user accounts on a single provider (Passport) or by enabling outside identity providers to serve multiple Web sites (Liberty). However, neither technology is widely used today by online services, in part because the owners of the most popular online services already have their own user authentication and data submission mechanisms.

Finally, important supporting pieces for InfoCard are at least two years away. InfoCard and the Windows Communication Foundation will ship in Windows Vista and the WinFX Runtime Components, most likely in 2006, and InfoCard developer tools and documentation are available now in a preview resource kit that will ship in final form about the same time as Vista. That resource kit also includes sample code for the security token service required by identity providers to support InfoCard.

However, Microsoft doesn't intend to ship a fully supported, commercial identity-provider platform until after the 2007 release of Windows Longhorn Server, which means 2008 at the earliest, and 2009 if Microsoft holds off release until Longhorn Server R2. And timing is unknown for some very important InfoCard deliverables from Microsoft: client applications and online services that support InfoCard.

Resources

A good InfoCard overview and more technical resources, including code samples, ship in the Federated Identity and Access Resource Kit for Sept. 2005 Community Technology Preview. Nonprogrammers will still benefit from the Programmer's Reference Guide of the kit, whose introductory chapter provides a well-organized introduction to the technology. See www.microsoft.com/downloads/details.aspx?familyid=66734401-4988-4ded-9876-3dc10223052c.

Several Microsoft identity management white papers are at msdn.microsoft.com/webservices/webservices/understanding/advancedwebservices/default.aspx.

Active Directory Federation Services and Microsoft's identity management strategy are discussed in "Windows Server 2003 R2 Identity Management" on page 3 of the Oct. 2005 Update.

The Liberty Alliance site is www.projectliberty.org.