Feeds

Private identities become a corporate focus

'It's going to get scarier'

SANS - Survey on application security programs

During the keynote kicking off the conference, Microsoft chief software architect Bill Gates told attendees that the company's next operating system will support just such a system. Dubbed InfoCard, the application will be part of Internet Explorer 7 and initially act as a password vault. However, as a companies start signing agreements of trust and build federated identity systems, InfoCard could hold credentials that prove only certain attributes, Gates said.

"You don't always want to present all your information," Gates said. "You will have different cards: Cards that just give your location, cards that are more secure that give your credit card (information), cards that you would protect very carefully and you would have a PIN for every use of it where you might authorise access of your medical information."

A Microsoft spokesperson stressed that the technology supports a system of credentials, but does not require it. Companies could continue to require customers to fully identify themselves, but the idea that less can be more has taken root, Gates said.

"Thinking of those different cards really has gotten people understanding that there are different types of authentication, and even in those authentication steps some cases have a level of indirection so you can have privacy even as you are doing those authorisation steps," he said.

The idea of a system of credentials that prove only what is really necessary is not a new one. Digital cash pioneers David Chaum and Stefan Brands both researched the topic in the 1990s. Brands created much of the framework for such technologies and has patented some of the models of credentials.

Consumers benefit from such systems because they give out less information and have to worry less about their privacy. Businesses can gain by having less information stored on their servers. Moreover, putting fewer barriers in the way of the customer will mean more business, vice president of online financial giant E*TRADE Bank Rob Shenk said during a panel on consumer authentication for the financial industry.

"Putting something in place that interdicts the legitimate flow is lethal, lethal," Shenk said.

Technology companies may be pushing for a change in how websites authenticate people, but it remains to be seen whether merchants will actually willingly settle for less information about their customers.

In any event, businesses and customers need to move beyond simple passwords linked to records of personal information, Microsoft's Gates said.

"Today we're using password systems and password systems simply won't cut it," Gates said. "They are very quickly becoming the weak link."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.