Death of Password

mmoin — Fri, 01 Dec 2006 21:42:00 GMT

I was doing a roundtable session yesterday at Strategic Architecture Forum (SAF) and the discussion moved into what is Windows CardSpace (WCS) and how it helps the identity and payments industry. Many of the participants had never heard about WCS and wanted to understand more. So I explained what is WCS, what is the technology, standards behind and what Microsoft provides in this space. One of the concerns brought up was consumers like to remain anonymous and would not like to be tracked and WCS is technology that abates tracking. So we then dived into the existing payment models and where they rank in terms of tracking. Cash payment is the only one which is hard to track, all other forms of payments (may it be credit card or debit card or mobile payments) can be easily traced and tracked. However actually to the contrary notion WCS maintains anonymity.

As shown above what really happens is,

A consumer shops online at a eCommerce site and is ready to check out.
eCommerce site asks for consumer credentials to login so they can checkout easily, get loyalty points, automatically fill in shipping address, etc. So the
Customer chooses to authenticate using WCS card(s).
A dialog brings up all the WCS cards on the customer's computer and only those that are accepted by the eCommerce site are available for selection and rest are distabled.
Customer selects one of the cards and requests the identity provider for token. Request is digially singed by the customer and is secured using WS-Security
Identity provider authenticates the user and issues a digitally signed token
Customer's WCS application sends the token to the eCommerce site, which accepts it as a valid identity token and allows the customer to login
eCommerce site never sees the actual credentials of the customer and only looks at the encrypted token

These steps may sound to be too cumbersome, but remember these are happening in the background and the underlying technology takes care of them. These is a very seamless experience to the end customer.

Of coruse there some process steps outside the WCS technology such as customer obtaining a WCS card from the identity provider, etc. Key point is the point is the protection of anonymity and assocaited security. The only infromaiton stored on the customer's computer is the meta data related to the identity provider, so even if the computer is compromised there is no loss to the customer. The beauty of this technology is the use of standards. All the underlying technology is based on industry standards and nothing proprietary about it.

Strategic Architecture Forum

mmoin — Thu, 30 Nov 2006 21:19:00 GMT

This week Microsoft is hosting the Strategic Architecture Forum (SAF) in Redmond. It is a premier event where Architects, CIOs, CTOs from global enterprises come to Redmond to share their thoughts about the challenges faced by these industryies and hear from Microsoft on how to address these challenges. There are many distinguished speakers from both Microsoft and other companies. This event is geared towards sharing Microsoft's thought leadership in the enterprise space and also listening from the customers what works for them and what doesn't. It is amazing to meet top brins from the around the world with the similar challenges in their respective regions and areas.

One thing that definitely hit me is irrespective of what large orgnization they work for they're people, which means irrespective of the revenues people are the most critical asset of any organizaiton. It took the industry long time to come to this realization, but lately focus of the industry is coming back to the people.

I'll write more about SAF as we make progress.

ARC Thoughts : SAF

Death of Password

Strategic Architecture Forum