May 18, 2005 4:00 AM PDT

Microsoft to flash Windows ID cards

Microsoft is getting ready to provide an early peek at new Windows software that aims to help consumers deal with the plethora of Internet logins.

The Redmond, Wash.-based software giant plans to release a technical preview of the software, code-named InfoCard, by the end of May, Microsoft said. It will also include other technologies designed to make using digital identities easier and safer, Microsoft's senior executive in charge of security, Mike Nash, said Tuesday.

The release is for software developers, who will be asked to give Microsoft feedback on the technology, Nash said during his monthly security Webcast. In addition to InfoCard, Microsoft is also planning preview releases of technologies that it is pitching to enable the various identity systems used on the Internet to work together, he said.


What's new:
Microsoft is getting ready to give developers a peek at its InfoCard identity management software for Windows.

Bottom line:
It's a step forward for InfoCard, Microsoft's second attempt at an authentication technology after its largely failed Passport.

More stories on this topic

"One of the big challenges that people face today is that there are many different kinds of identity systems," said John Shewchuk, an architect in Microsoft's distributed systems group, who was also on the Webcast.

In a similar vein, Microsoft and Sun Microsystems last week demonstrated "single sign-on" software under development that's designed to let someone log in once to use network services that previously required separate authentications.

InfoCard will be the most visible of Microsoft's efforts to PC users. It is designed to provide secure storage for identity information that will be shared with online services such as Web stores.

The plans are reminiscent of Microsoft's largely failed efforts with Passport, a single sign-on service it unveiled in 1999. InfoCard is a new attempt, one that could address the complaint many critics had with Passport, which was that people's information was managed by Microsoft instead of by the users themselves and the businesses they dealt with.

The developer preview is important as Microsoft moves from just talk to actually sharing some of the work in progress.

How will it work?

InfoCard on your PC will hold personal data such as login names, passwords and information for making payments. This example deals with buying a CD online with a Web store and bank that support the technology.

• InfoCard takes care of logging you in to the online music store.

• After you place an order, the store connects with InfoCard on your PC using Web services.

• You're then prompted with a request to choose how you want to pay. This is based on the information InfoCard holds for you, which could include credit card or bank account numbers. Personal data, such as the credit card information, can be stored on your PC or at sites that you authorize.

• Once you've selected how you will pay, your PC will connect with the bank or credit card issuer and request payment to the music store.

• The store will get confirmation that it will be paid either directly from the bank or credit card company or through you. The store will never have seen your financial information.

InfoCard holds payment authorization and details in the same way that a wallet holds credit cards, according to the software maker. "It makes it supereasy for the end user to pick among their different kinds of credentials," Shewchuk said.

With InfoCard, the online buying experience would change. When a user buys a book online, for example, the Web store would ping the user's InfoCard application on the user's PC for payment. The user then authorizes payment, which is routed to the applicable financial institution. The bookstore does not need to know the user's credit card number or financial data.

For InfoCard to work well, commerce Web sites will need to adopt the technology, as will other businesses, such as credit card companies and banks, Microsoft said.

But InfoCard's use will not be limited to storing and supplying ID information for making online payments or logging in to Web sites, Microsoft said. In addition, the first version will also support other authentication technologies, such as the x509 certificates used for smart cards, according to Shewchuk.

Insiders expect InfoCard to be part of Longhorn, the next major release of Windows due next year, but Michael Stephenson, a director in

Page 1 | 2


Join the conversation!
Add your comment
Not again.....
Here comes MS, trying to get into your wallet again with claims
of great service and promises of great security failures. I
suppose that there are some who will think that it's a great idea,
but it doesn't really do anything that the user cannot do almost
as simply. And it is one more shot by MS to get into your
personal data.

Passport was a disaster for MS - lots of money invested and no
one interested besides MS. Passpoert did keep support costs
down since you couldn't get support without a Passport and few
people were willing to get one even for that. Later, MS dropped
the Passport requirement, but the impact remained.

So now here comes Disaster - The Sequel; INFOCARD !!!!

Sorry, MS, once more your innovative 'brilliance' has gone sour.
But, if you constrain this feature to Longhorn, most of the
computer world will breathe easier.
Posted by Earl Benser (4310 comments )
Reply Link Flag
Yup, you've got it right
I think you were a bit harsh with some of your comments, but I totally agree.

Personally I use FireFox for web browsing, and it remembers 99% of my web logins for me. It doesn't do stores very well, but that's ok. I'd prefer to have more control of purchases anyway. Oh wait! I'm feeling compelled to let...Microsoft...handle all of my purchases for me. Yeah, I'll feel a LOT safer that way!
Posted by (6 comments )
Link Flag
And yet another example...
...that Microsoft will not let a bad idea die.
Posted by Norseman (1319 comments )
Reply Link Flag
ANY Single sign-on is a bad idea!
Hack that one point, and EVERYTHING falls along with it.
This a bad idea, and can never be anything but.
Posted by powerclam (70 comments )
Reply Link Flag
What is with these people??
Why does Microsoft insist in giving us things we don't want while ignoring the things we do want?? If you have trouble managing passwords, use a safe and simple (and free) tool like KeePass (<a class="jive-link-external" href="" target="_newWindow"></a>). Universal logins are a bad-bad-bad idea, especially if designed and controlled by a company with their security track record. Buy you know, they will force it upon us, just like the did with Passport. It pops up as a tray icon on all new systems telling you that you need to sign up, well you don't NEED to sign up, they just want you to.
Posted by (5 comments )
Reply Link Flag
Pinch.. yes it's real...
I stopped reading the article 2/3 down the first page... that was enough for me.

Who in their right mind would want a "pingable" app on their PC that stores their personal info? I want some of whatever Mike Nash is smoking please!
Posted by SmokieUK (39 comments )
Reply Link Flag
What's In It For MS?
Microsoft doesn't do anything out of the goodness of their hearts. If they really want to make Windows life easier (and secure), there are more significant ways to do that. So why are they pushing Neo-Passport? To sell more software licenses? To get micro-payments for each transaction as an intermediary (ala Paypal)? To lock people into Longhorn and IE and kill Firefox/Opera? To compel people to upgrade to Longhorn?

I'd like to see CNET interview some third parties about what they think is really behind Microsoft's renwed push for this technology. Follow the money!
Posted by Stating (869 comments )
Reply Link Flag
From the "bleading" edge of technology...
As Keith J mentions in a previous post, "Follow the money." Indeed, follow the money right out of InfoCard and into some phisher's or pharmer's wallet.

It doesn't matter that Microsoft can build secure technology if the average Jane-Joe home user can't--or won't--secure their computers. With an estimated 80% of the home computers compromised, what good is InfoCard (IC) if the user's account is compromised by a bot that accesses IC's data store as an authorized use and sends back all that private data the poor user was trying to keep secure? And with stealthy bots on the horizon, the poor sap wouldn't even know he'd been had, or that she's still on a trip.

No, more, much more, effort needs to be directed toward making these machines--hardware, software, and firmware--truly secure. Yeah, nothing's a 100%, but even at .999C I don't need a hitchhiker to see the galaxy.
Posted by (1 comment )
Reply Link Flag
Last Layer Of Control to Tie It All Together
It's all about control theirs not the users.

This technology bundles in nicely with Palladium/Next Generation Secure Computing Base/Trusted Computing Platform Alliance forming the final binding layer in Internet Security. It will force all software authors and hardware makers to dance to the Microsoft/TCPA Security tune and pay the Microsoft or related but "independent" third party TCPA licensing and certification piper.

Using this layer and Palladium/NGSCB they want to force everyone into using only Trusted Computing approved hardware and software since that is the only way to "Guarantee" a Secure transaction system free of spyware, malware and viruses and trojans.

This system combined with Palladium/NGSCB will also be used to push competition further out of the market. If your bank or a merchant's web site will not talk to your computer because of that really handy but unsecured (read uncertified) shareware printer utility that, you have paid for and used for years, is installed on your system. Which is going to go? The ability to use online banking? Or the shareware utility?

Who will be willing to use Linux/BSD or some other Open Source software, Shareware, Freeware, or non-commercial software, (non-commercial in the sense that the author can not afford to have their software certified as "Secure"), when you wont be able to talk to most of the Internet, send or receive e-mail, chat or many other things because the web/mail/chat/p2p server requires a certified secure system. Secured from the chips on the on the mother board up through the operating system including all applications installed or running on the system, back down through the network card and Internet link all the way to the web site. Using Microsoft software and certified Trusted Computing hardware is the only way to do this easily. It comes as a bundled package from most PC vendors anyway.

This is not to say that Red Hat, IBM, HP, Novel, wont be able to produce a certified secure TCPA version of Linux/BSD. But you have to buy it form them and use it unmodified. The instant another user or company modifies and recompiles even part of the source code the OS is no longer TCPA Certified Secure the original security keys no longer match the running binaries. The program has lost the proper security keys during the rebuild and will only run on the computer that built it. The Trusted Computing/proprietary software vendors have just step around the concept of open source, public license and non-proprietary code without even having to fire a legal shot at the GPL. At this point all the source code in the world could be available to the general public but it would be useless without the security keys necessary to compile the code into certified binarys for public use. And the TCPA/Microsoft control the keys.

Microsoft can also use this "Layer" to collect transaction fees from both ends, the user and the merchant, and the middle with gate keeper fees charged to the banks. It can enhance its revenue stream by placing a siphon into everyone else's revenue stream and draw off micro payments. In nature there is a word for this behavior... Parasite.

Many others have written more eloquently than I have here Google "trusted computing" and "TCPA" to find more information for and against this idea.

...One OS to rule them all and in the darkness bind them. With apologies to Tolkien.
Posted by (1 comment )
Reply Link Flag
Thank You.

Nice that someone has explained the final effect of Trusted-Computing and tied all the pieces together.

Microsoft WINS... Complete control

Consumers LOSE... Any REAL Choice

Almost makes you wonder if all those security-holes in MS-Windows, WERE, ...just accidental.
Posted by Gayle-Edwards (30 comments )
Link Flag
Paying Attention...
Great comment, and observations, John...

Having spent several years analyzing the full-impact of the "Microsoft Trusted Computing architecture" (both, its effect upon the world of computer-science, and the computer-industry), I thought that I would connect all the technical-pieces of this whole -security scheme- together (so that those that have not figured it out for themselves, would understand the actual eventual ramifications of the "Microsoft Trusted Computing" agenda).

But, you have done a wonderful job.

I would like to mention, however, that the first actual example (and test-bed) of the fully-implemented "Microsoft Trusted Computer" has already been released. It is the Microsoft-XBOX. This Microsoft-PC allows Microsoft to decide,

...what software you can run.

...What hardware you can install.

...What services you can use.

...What functionality the computer-owner is allowed to have.

It also allows Microsoft to change any of these, at Microsofts whim, beyond the control of the person who has actually purchased the computer.

Furthermore, people need to know that most of the network-switches currently used on the Internet (by ISPs) are already designed, or have been upgraded, to completely SHUT-OUT -non-trusted- (I.E. non-Microsoft controlled) PCs with a few key-strokes.

When you mix that with Microsofts intention to soon include, individual, physical user-identification as part of the total -Trusted PC- environment, ...well.
Posted by Raife (63 comments )
Link Flag
kudos for analysis
very interesting point of view
Posted by alx359 (40 comments )
Link Flag
windows again behind the times...
Mac OSX users have been using "Keychain Access" for several
years now:

"A Secure Keychain
To make it easy to manage the daunting number of passwords
and permissions intrinsic to network computing, Mac OS X
includes a Keychain. The Keychain stores all your information to
use encrypted disk images and to log onto file servers, FTP
servers and Web servers. Mac OS X automatically adds your .Mac
account information to your Keychain. When you log in to Mac
OS X, the system opens your Keychain. You dont have to enter
your user name and passwords to access this data. You can set
Mac OS X to lock your Keychain when the system sleeps or is
inactive for a time. The system will ask you for your password
the next time you try to access secure data. Other users on the
system cannot access your Keychain or its data."

<a class="jive-link-external" href="" target="_newWindow"></a>

how to use here:
<a class="jive-link-external" href="" target="_newWindow"></a>

It stores all the passwords used, it doesnt matter if it's IE, safari
or mozila browsers. Keychain will automatically enter name and
passwords whenever it's required. It also stores other passwords
in other apps such as ftp programs. If you need to see the actual
ASCII passwords, you can launch Keychain and it will show the
password as long as your account have admin access.
Posted by BobBobBobBobBobBobBob (49 comments )
Reply Link Flag
Infocard for ID Thieves as well?
Does this mean that ID thieves who have applied for credit cards, web services, etc using stolen IDs will also be able to store those fradulent IDs and passwords etc into the infocard as well?
Posted by (6 comments )
Reply Link Flag
infocard question
Is a Microsoft Infocard Profile stored locally on my PC? ... what if i go to my friend's house and i want to make a purchase on ebay - or just log in to my email - how will i get at my Infocard? ... aren't we back at square one if i have to figure out how to transport it ... do I take my Infocard on a disk (insecure) , or maybe i have to connect to my pc at home (that sounds hard for normal users) ... thanks alot for anyone who could clarify this :D
Posted by cannonarm (1 comment )
Reply Link Flag
Hopefully already incorporated in infocard design.
Some inforcard concepts may raise individual privacy concerns.

Infocards, or separate cards, could integrate functionality that increases individual freedoms.

Example 1: The automobile.

What if the next time you purchased your automobile, your salesperson explained the following about your new car keys ("infocards" from here on)?

"Insert this infocard in that slot of this car's console. It will allow you to use this car. That slot replaces the functionality of the key ignition slot on older cars."

"You can use the console to make/remake your car infocards at any time."

"If you think your infocards have been lost, stolen, or loaned to a person of questionable character, you can remake your infocards at anytime, in a matter of seconds per key. I won't show you that process until we sign your contract, but it's easy."

"I will explain that the process of making the key is unique to your car, and it's immediate environment, at the particular second you decide to remake your keys. Everytime you remake your keys, they will be different from all past keys made by your car."

"No other car can be used to make keys for your car. Your car can not be used to make keys for any other car."

"The console can be programmed to make the key valid for only certain functions of this car. For example, a particular users infocard can be set to trigger external and internal emission of Lawrence Welk sermons every time the car is driven beyond a selected radius of a specified gps setting."

"Another person's card may be configured to allow entry to the vehicle, use of the back seat TV, the radio, etc., but prevent activation of the engine."

"You're lucky. As the buyer of this card, you can make your infocards out of ordinary gift cards. Will WalMart, KMart, etc., sell you gift cards for a penny a piece. Not only can you make the infocards anytime you want, it's going to be cheap. Compare that to dent in your credit card the last time you replaced an RFID key to your old car!"

"Just sign here, please."

Other examples abound, but what catches human interest more than the automobile? You thought of something. Can infocard play a positive role in that, too?
Posted by RememberEZ (45 comments )
Reply Link Flag
N. E. Body, yes you're exactly right. If they build InfoCard correctly, it will be absolutely fantastic. If it's not totally configurable and is a security risk, then yes, of course it's a piece of crap. Perhaps storing the info on a thumb drive (as an option) would be great--Like the MacOS "keychain" thing. Lets see how InfoCard works (or doesn't) and then decide if it's good or bad.
Posted by locoHost (25 comments )
Link Flag
The online buying experience would change. When a user buys a book online
Posted by xmzs09 (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.