InfoCard: It's Not Just Passport 2.0
Microsoft proposes to simplify authentication -- again.
You might remember Microsoft's first attempt at addressing this problem, Passport, which Microsoft uses on its own MSDN Web site (and elsewhere), but which never caught on as Microsoft hoped it would.
Richard Turner, project manager for InfoCard at Microsoft, spoke about InfoCard, Microsoft's proposed solution to the problem of authentication and identity management at VSLive! Orlando last week. InfoCard is a standards-based approach for managing your digital identities.
Turner explained that InfoCard is part of WinFX, Microsoft's managed set of APIs for Windows Vista. InfoCard actually spins up in a separate, protected part of the Windows environment, so it isn't visible to other processes on your system. The InfoCard environment is concerned only with your digital identity and can't interact with other parts of your system. Richard noted that InfoCard has only two APIs that can be accessed programmatically: Managed, and GetToken.
InfoCard is part of Microsoft's Identity Metasystem Architecture, which has been articulated by Kim Cameron, architect of identity and access in the connected systems division at Microsoft. Kim maintains the Identity Weblog, where he has laid out his (and Microsoft's) vision for managing identity in the near and distant futures. Be sure to check out his whitepapers on "The Laws of Identity" and "The Identity Metasystem" for more information on where InfoCard fits into Microsoft's larger worldview on identity. The site also includes a white paper that lays out the design decisions that informed Microsoft's implementation of InfoCard.
Cameron's white paper on InfoCard lays out four considerations a viable identity architecture must satisfy: This architecture must provide improved security and privacy; it must be inclusive of disparate identity technologies that are in use and will come into use; it must accommodate common identity scenarios, even when there are conflicting goals between competing scenarios; and it must be incrementally deployable, coexisting and leveraging current identity technologies rather than requiring that you rip-and-replace them.
So, how does InfoCard differ from Passport, Microsoft's first attempt to provide an integrated, reliable authentication platform? First, InfoCard doesn't replace existing authentication schemes with its own proprietary system, but leverages existing identification technologies. It is standards-based, and third parties can write their own clients and providers for non-Windows environments.
Second, Microsoft doesn't store the data itself. The data is stored by the InfoCard provider or on the local user's machine, in the case of InfoCards the user creates. The user controls when his card is used, and manages his own access to a given site, rather than using an intermediary such as Microsoft.
Third, it is more attractive from a cost standpoint for developers. Passport required that you pay a significant licensing fee to leverage Passport on your Web site; InfoCard has no such requirement.
Of course, this is still version 1 technology, and some significant issues remain to be solved. For example, Microsoft must get users and other potential providers to buy in. To do that, it needs to provide an interface that is clear, easy-to-use, and intuitive; and that requires a minimum of user instruction to take advantage of the system. A solution that is too complex is no solution at all, leaving us basically where we are right now.
Microsoft also faces a competing solution with Project Higgins, an open source project that lets users and businesses integrate identity, profile, and other information across various environments. Turner noted that Microsoft is working with the Higgins project as it prepares its InfoCard solution, and he stressed that identity management will require an industry-wide, standards-based solution.
Finally, Microsoft must address how such cards are issued and acquired. You face a chicken-and-egg scenario where you need to establish an InfoCard in the first place. How do you guarantee the user's identity for the issuance of an InfoCard? Is the point of acquisition an area of vulnerability for deploying the service in the first place? To its credit, Microsoft's solution does accommodate using InfoCards from different computers.
It will be interesting to see how Microsoft addresses these and other issues related to managing identity. As ever, VSM will share updates about these technologies as new information becomes available and as they get closer to shipping.
Do you think InfoCard will succeed where Passport didn't? Why or why not?
Patrick Meader is editor in chief of Visual Studio Magazine.