Welcome to MSDN Blogs Sign in | Join | Help

ARC Thoughts

This is a blog on architecture. Focus of this blog is to help technical decision makers with upcoming technologies so they can make informed decisions. Since I'm passionate about retail industry and payments industry, there will some bias towards those areas.
Death of Password

I was doing a roundtable session yesterday at Strategic Architecture Forum (SAF) and the discussion moved into what is Windows CardSpace (WCS) and how it helps the identity and payments industry. Many of the participants had never heard about WCS and wanted to understand more. So I explained what is WCS, what is the technology, standards behind and what Microsoft provides in this space. One of the concerns brought up was consumers like to remain anonymous and would not like to be tracked and WCS is technology that abates tracking. So we then dived into the existing payment models and where they rank in terms of tracking. Cash payment is the only one which is hard to track, all other forms of payments (may it be credit card or debit card or mobile payments) can be easily traced and tracked. However actually to the contrary notion WCS maintains anonymity.

As shown above what really happens is,

  • A consumer shops online at a eCommerce site and is ready to check out.
  • eCommerce site asks for consumer credentials to login so they can checkout easily, get loyalty points, automatically fill in shipping address, etc. So the
  • Customer chooses to authenticate using WCS card(s).
  • A dialog brings up all the WCS cards on the customer's computer and only those that are accepted by the eCommerce site are available for selection and rest are distabled.
  • Customer selects one of the cards and requests the identity provider for token. Request is digially singed by the customer and is secured using WS-Security
  • Identity provider authenticates the user and issues a digitally signed token
  • Customer's WCS application sends the token to the eCommerce site, which accepts it as a valid identity token and allows the customer to login
  • eCommerce site never sees the actual credentials of the customer and only looks  at the encrypted token

These steps may sound to be too cumbersome, but remember these are happening in the background and the underlying technology takes care of them. These is a very seamless experience to the end customer.

Of coruse there some process steps outside the WCS technology such as customer obtaining a WCS card from the identity provider, etc. Key point is the point is the protection of anonymity and assocaited security. The only infromaiton stored on the customer's computer is the meta data related to the identity provider, so even if the computer is compromised there is no loss to the customer. The beauty of this technology is the use of standards. All the underlying technology is based on industry standards and nothing proprietary about it.

 

Posted: Friday, December 01, 2006 10:42 AM by mmoin
Attachment(s): wcs.jpg

Comments

mikewalker said:

Great post on the retail aspects of payments with CardSpace. Looks like I need to continue the flow in through the banking arena!

mike walker • Architecture Strategist, Global Financial Services

Microsoft Corporation

http://blogs.msdn.com/mikewalker/

http://msdn.microsoft.com/FinServArch

# December 4, 2006 4:52 PM

Clipperz said:

BBC - UN warns on password explosion Re-using passwords puts people at serious risk of falling victim to identity theft, said the ITU report.

Lifehacker - Poll: Do you use the same password for different accounts? Check the results of this readers pol

# January 13, 2007 7:52 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker