Monday, August 11, 2008

New York Times on Passwords and Alternatives

There is a new article by Randall Stross in the New York Times titled "Goodbye, Passwords. You Aren’t a Good Defense".

I am thankful for this article and I think that we need more of them. It is targeted at a readership that is no expert in security and privacy; and never will be. It informs its readers that there are problems with passwords and that openid (yet?) isn't the solution either. I think that with Information Cards we are moving in the right direction. True, we are not there yet, but major players by forming the Information Card Foundation have decided to jointly work on a accepted and interoperable solution.

Microsoft is doing the right thing to put their implementation of the card selector, CardSpace, into Windows Vista. And to improve it again and again; and put this major component for Internet security outside the long Windows and .NET update cycles; and to support alternative implementations of the identity selector and the other components of the Identity Metasystem.

One thing that I am missing from the article is the notion of "claims". Information Cards are "information cards" not "login cards" and especially they are no "id cards"; they might be used for authentication and even identification but, I believe, that the major thing to note about Information Cards is that they, by means of a trusted client component - the card/identity selector - enable the secure and privacy friendly exchange of data about the user.

Information Cards will be available on major operating systems and browsers. Many people are working on this and we will be successful.

1 comment:

Bluebee said...

There are other things missing in this article:
Information Cards will only be secure if there are real separate cards in use: every security measure running directly on a PC only is vulnerable, and virtual Information-Cards (which are only data stored on your computer), are an invitation to pishers! They only have to upload this Information-Card Data from your Computer, and pishers get everything they like to have!

Why? There is a not curable flaw:
Everything running directly on a PC (specially with MS-Software) can be faked or spied on.

The only thing which helps is an external ID (Card or USB-Dongle) with embedded Microprocessor which handles all the communication with embedded cryptography and refuses to be spied on.

Specially a readership that is no expert in security and privacy has to know this!