, SecurityFocus 2006-02-20
Story continued from Page 1
During the keynote kicking off the conference, Microsoft's chief software architect Bill Gates told attendees that the company's next operating system will support just such a system. Dubbed InfoCard, the application will be part of Internet Explorer 7 and initially act as a password vault. However, as a companies start signing agreements of trust and build federated identity systems, InfoCard could hold credentials that prove only certain attributes, Gates said.
"You don't always want to present all your information," Gates said. "You will have different cards: Cards that just give your location, cards that more secure that give your credit card (information), cards that you would protect very carefully and you would have a PIN for every use of it where you might authorize access your medical information."
A Microsoft spokesperson stressed that the technology supports a system of credentials, but does not require it. Companies could continue to require customers to fully identify themselves, but the idea that less can be more has taken root, Gates said.
"Thinking of those different cards really has gotten people understanding that there are different types of authentication, and even in those authentication steps some cases have a level of indirection so you can have privacy even as you are doing those authorization steps," he said.
The idea of a system of credentials that prove only what is really necessary is not a new one. Digital cash pioneers David Chaum and Stefan Brands both researched the topic in the 1990s. Brands created much of the framework for such technologies and has patented some of the models of credentials.
Consumers benefit from such systems because they give out less information and have to worry less about their privacy. Businesses can gain by having less information stored on their servers. Moreover, putting fewer barriers in the way of the customer will mean more business, said Rob Shenk, vice president of online financial giant E*TRADE Bank during a panel on consumer authentication for the financial industry.
"Putting something in place that interdicts the legitimate flow is lethal, lethal," Shenk said.
Technology companies may be pushing for a change in how Web sites authenticate people, but it remains to be seen whether merchants will actually willingly settle for less information about their customers.
In any event, businesses and customers need to move beyond simple passwords linked to records of personal information, said Microsoft's Gates.
"Today we're using password systems and password systems simply won't cut it," Gates said. "They are very quickly becoming the weak link."