By Craig Murphy
Actually, that’s the wrong question, I really need to know who you are, who you really are, please confirm your identity. How are you going to tell me who you are? I’ve got an e-mail address, send me an e-mail and I’ll reply, then you’ll know who I am because I’ve got a valid e-mail address. Well, that might work, but how do I know that your e-mail address isn’t falsified in some way? Why don’t you send my mobile ‘phone an SMS (text message)? That way, when I reply you’ll know who I am because I’m trustworthy enough to have a mobile ‘phone. Well, that might work too, but what if you’ve got one of those pay-as-you-go or throwaway mobile ‘phones?
Authentication and confirmation of identity in today’s online world is a big problem. It’s a problem that is the subject of furious debate from users all over the globe. With the marked increase in online and electronic fraud, an increase that is keeping many people in employment, not least in the financial sector, achieving reliable proof of identity is proving to be a headache for many providers and implementers.
Gone are the days when “something you know” authentication, such as providing a variety of letters/numbers from passwords, is deemed suitable for online banking. In an attempt to thwart attempts to empty your bank account into another account, many financial institutions are sending their online customers card readers such that authentication relies on “something you have”. Whilst the added security benefits offered by the card reader is somewhat obvious – you need your bank card and its PIN – it’s a move that is causing anguish amongst many customers. I dread to think what customers will make of the next step: bio-metrics, i.e. authentication based on “something you are”, such as your own physical attributes: your fingerprint or your retina for example.
Herein we find the problem with authentication: users don’t like hassle, they just want to login using a username and password. Give them some hardware and some extra steps and they just baulk. Of course, they don’t want their bank accounts emptied by the unscrupulous fraternity too, so we have to look at doing more to protect their accounts – it’s a Catch-22 situation. Or is it?
Enter The Identity Metasystem
What if we had a means of authentication that didn’t revolve around the ownership of physical hardware and/or personal attributes? What if we had a means of securing “something you have” in the electronic world? What if you had an electronic card? Microsoft’s implementation of The Identity Metasystem, known as CardSpace, can achieve this electronic panacea. I hear you cry: “Pa! It’s a Microsoft technology, what about vendor lock-in?”
Granted, Microsoft played a major part in the overall architecture, however it is truly multi-vendor and multi-platform, vendor lock-in is not part of the deal. Of course, some readers may remember the lock-in issues surrounding Hailstorm and subsequently the Passport service: please, be assured that such vendor specific solutions are now a thing of the past. CardSpace is part of a metasystem, thus there is the desirable option of choice, choice of authentication framework.
CardSpace dispenses with the need for the custom hardware required to scan cards, provide request/response numeric pairing or to verify humanly attributes. In order to confirm your identity, CardSpace uses the notion of a Digital Identity that is represented using Security Tokens which themselves comprise of a number of Claims. A Claim is very flexible, it might just be a username, or a username and password, or it could contain credit card information or even employee information. The list is almost endless.
The ability to have both Personal Cards (self-issued) and Managed Cards (those issued by banks, etc.) provides an automatic grading mechanism – those sign ups with self-issued Personal Cards may have fewer privileges than those with Managed Cards. Similarly, you have control over which Cards you provide: you may have a handful of Personal Cards each providing different amounts of information. One Card might provide your preferred username, e-mail address and password. A second card might be used for social networking; you might provide a username, e-mail address, password, your date-of-birth and your biography information.
CardSpace workflow is fairly simple. Any complexity is typically handled using a CardSpace application. Using a CardSpace application, you, as a user pass your Information Card to a Relying Party, your favourite book vendor perhaps. Your book vendor then asks for your Security Token. The CardSpace application then asks an Identity Provider for the Security Token, which is then passed back to the book vendor. For simple authentication, you could be the Identity Provider. However, for more complex authentication, your employer or your bank could be serving up Security Tokens – this is where it gets interesting. The Relying Party knows that the Security Token was issued from a trusted Identity Provider – there are mechanisms in place to ensure the integrity of the Security Token.
A Glasnost modus operandi opens CardSpace up to the masses. We are already seeing solutions appearing in Internet Explorer 7 under Windows XP. Few would have believed that the same authentication mechanism could co-exist for a Windows-based OS and the various flavours of Linux, but that’s what’s happening, thanks to the Open Source community. The metasystem is essentially lending itself to a convergence of browsers: Internet Explorer, Safari and Firefox. Similar openness is demonstrated as we learn that CardSpace can make use of OpenID, thus introducing choice at the Identity Provider level too.
“This is great…” you say, “but if my authentication credentials are stored on my local machine, surely they’re open to attack?” Thankfully not, it is up to the Identity Provider (yourself, banks, employers, etc.) to determine how and where your personal information is stored. Obviously if you have issued your own Information Cards, you’ll probably store them on your local machine or a USB drive. Sensitive data, such as credit card numbers, expiry dates and CCVs are best stored with the Identity Provider, i.e. on remote and heavily protected servers.
Such a solution is not just limited to the major financial institutions, any web-site that requires “sign up” can benefit from the additional security that CardSpace has to offer. The plethora of social networking sites that seem to have so rapidly caught the attention of the general public would do well to adopt CardSpace, if only to stop blatant impersonation – a topic which I write about in more detail.
So when I’m next asked the question “who do you think you are?” I’ll be handing over a CardSpace information card. I am who I am, this card confirms it.
[With thanks to Alan Henderson]