From "Username and Password" to InfoCard

From Username & Password

to "InfoCard"

Richard Turner

"InfoCard" Product Manager

Microsoft Corporation

Garrett Serack

Program Manager

Microsoft Corporation

Agenda

Internet Identity Crisis

"InfoCard" Overview

Implementation

The Identity Metasystem

Getting "InfoCard"

Suppliers & Partners

Businesses

Employees

Friends & Family

Consumers

Who Are You?

The Internet Identity Crisis

Phishing & Phraud

Password fatigue

Inconsistent, proprietary identification mechanisms

Lack of Identity Online

Phishing & Phraud

New Phishing Sites by Month

December 2004 – December 2005

Dec

04

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

05

7,197

4,6304,367

5,2425,2594,564

4,280

3,3262,8542,870

2,6252,560

1,707

Source: http://www.antiphishing.org

http://www.antiphishing.org/

http://www.antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf

Password Fatigue

"InfoCard"

Consistent user experience

Helps eliminate unames and passwords

Helps protect users from many forms of phishing & phraud attack

Support for two-factor authentication

Easier Safer

Built on WS-* Web Services Protocols

"InfoCard" cards

Stored locally

Assertions about me

Not corroborated

Provided by banks, government, clubs, etc

Stored at STS

Metadata only

Richard’s Card Woodgrove Bank

Private Desktop

Runs under separate desktop and restricted account

Isolates "InfoCard" from Windows desktop

Deters hacking attempts by user-mode processes

Contoso Car Rental

Participants

Relying Party (website)Identity Provider

User

Login with Self Issued Card

Relying Party (website)

User

Login

Select Self Issued Card


User

Create Token from Card


User

Sign, Encrypt & Send Token


User

Login with Managed Card


User

Login

Select Managed Card


User

Request Security Token


User

Auth’:

X509, Kerb,

SIC, U/PWD

…

Create Token from Card


User

Sign, Encrypt & Send Token


User

The Identity Metasystem

Identity layer for the Internet

Open, inclusive, standards-based model

Built upon “The Laws of Identity”

"InfoCard" is a client agent within the IDMS

Building A Relying Party

Integrating with “InfoCard”

Four key tasks:

1. Update the database

2. Create an association page

3. Update the sign in page

4. Update the registration page

1. Associate a user with a card

CREATE PROCEDURE aspnet_infocard_associate (@UserId nvarchar(256), @card nvarchar(50) ) AS ...

CREATE PROCEDURE aspnet_infocard_lookup (@card nvarchar(50) ) AS ...

2a. Create an association page

<button onclick="javascript:return infocardlogin.submit();">

Update account with your Information Card</button>

<form name="infocardlogin" target="_self" method="post"><object type="application/x-informationcard" name="xmlToken"><param name="tokenType"

value="urn:oasis:names:tc:SAML:1.0:assertion"><param name="issuer“

value="http://schemas..../identity/issuer/self"><param name="requiredClaims"

value="http://.../claims/givenname,http://.../claims/surname,http://../claims/emailaddress,http://.../claims/privatepersonalidentifier">

</object></form>



2b. Create an association page

public partial class Associate_aspx : System.Web.UI.Page{

protected void Page_Load(object sender, EventArgs e){

// check if an xmlToken is postedstring xmlToken = Request["xmlToken"];if (xmlToken != null) {

TokenHelper tokenHelper = new TokenHelper(xmlToken);// get the unique idstring uniqueID = tokenHelper.getUniqueID();if (uniqueID != null && uniqueID != ""){

//store it with the account.MembershipUser user = Membership.GetUser();MembershipHelper.AssociateUser(

user.UserName, uniqueID );}

}}

}

3a. Update the sign in page


Sign in with your Information Card</button>





</object></form>



3b. Update the sign in page

public partial class Login_aspx : System.Web.UI.Page{protected void Page_Load(object sender, EventArgs e){

string xmlToken = Request["xmlToken"];

TokenHelper tokenHelper = new TokenHelper(xmlToken);

// Lookup the account using the uniqueIdstring username = MembershipHelper.GetUser(

tokenHelper.getUniqueID());if (username != null) {MembershipUser user = Membership.GetUser(username);

// give the cookie back to the browser.FormsAuthentication.SetLoginCookie(user.UserName, false);

}}

}

4a. Update the registration page


Register with your Information Card</button>





</object></form>



4b. Update the registration page

// ...

string xmlToken = Request["xmlToken"];TokenHelper tokenHelper = new TokenHelper(xmlToken);

string uniqueId = tokenHelper.getUniqueID();string emailAddress = tokenHelper.GetClaim(

“http://schemas.../emailaddress”);string username = tokenHelper.GetClaim(

“http://schemas.../givenname”);

if (username != null) {MembershipUser user = CreateUser( name , emailAddress ,... );MembershipHelper.AssociateUser( user.UserName, uniqueID );

}

// ...

Summary

WinFX: .NET to the core

Getting WinFX & "InfoCard"

Built in to Windows Vista

Also available for Windows XP & Windows Server 2003

CTPs available today

Beta 2 coming

RTM 2nd half 2006

Q2 Q3 Q1

2006

Q2Q4Q1

2005

Q3 Q4

B1 CTPV1

RTM

"InfoCard" Summary

Labs available in the MIX Sandbox!

Consistent authentication for digital identities

Reduces chances of being phished

Adopting takes little developer effort

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

From "Username and Password" to InfoCard