Preserving the billions of dollars invested in e-tailing, internet banking, e-government and online service delivery depends on keeping phishing attacks, identity theft and online fraud firmly under control.
This, in turn, depends on finding better ways of establishing that people in cyberspace are who they say they are, or more accurately, that they have the credentials they claim to have.
Creating a fix that strikes the right balance between security, practicality and convenience is a monumental task.
Australian banks and governments are among those that have tried and failed to find the balance.
All of this is compounded by the many authentication schemes that must be navigated by the average user.
In recent times, the intellectual debate moved to concepts involving federated identity management and technologies that could make many hundreds of industry-specific projects connect to one another, thus producing a more consistent experience.
At the same time, the principle of maintaining personal control and providing only enough information to substantiate an online claim (such as frequent flyer membership, available credit, age or health insurance cover) has become a widely accepted goal.
No one, after all, wants to broadcast more personal details than necessary, especially where claims can be verified while preserving anonymity.
A few weeks ago, in a visit to Microsoft's research labs, one of the senior technical people spent a morning showing me where his company wants to take online authentication.
Microsoft's vision is based on a product called Infocard and a set of communication protocols and design specifications collectively called Microsoft's identity metasystem architecture.
Infocard is impressive. It is designed dto deliver a consistent experience for users by basing it on the various cards we carry around with us.
Just as we use a library card, driver's licence or credit card to verify a claim in the offline world, so Infocard allows the user to select an internet card to verify a claim made online.
Cards contain only the information appropriate to the context, they may be self-created or issued by others, and they look like their offline counterparts.
I see many new interfaces that make the mistake of introducing more complexities for the user, but this one is genuinely intuitive: it turns complex behind-the-scenes authentication into something anyone can understand.
The rest of the story is strong too.
Microsoft learned the hard way with its Passport initiative that people don't trust technology companies to act as identity brokers on their behalf. Today's architecture makes full use of the newly ratified web services security protocols, such as WS-Trust, WS-Security and WS-SecurityPolicy, to maximise connectivity and make it possible for banks, credit card companies, airlines, government departments and others to act in their natural roles as intermediaries to substantiate relevant claims.
Exploiting web services protocols, which work across different operating systems and browsers, makes it easier for others to develop alternatives to Infocard, an outcome that the Microsoft people I spoke to consider essential.
To underline this, they tell me that the architecture and Infocard specifications will be released publicly, and that Microsoft has been collaborating closely with Mozilla, the group behind the Firefox browser, including joint briefings with Amazon, eBay and other e-tailers.
The last two paragraphs are, incidentally, another reason why web services are in my top-five information technologies for the decade. Microsoft is not the first organisation to embrace the principles of federated identity management and produce technologies to deliver them.
The Shibboleth project, for example, is an important initiative created by the Internet2 consortium, which has been running for more than five years. Visit www.shibboleth.internet2.edu.
Microsoft has played a leading role in the debate and is well positioned to deliver these technologies to a wide audience. It has done an exceptional job of packaging those principles for the average user.
In 2006, a lot of Australian technologists will be talking about Infocard and the architecture behind it because, whatever we use to authenticate online claims five years from now, you can bet it will look a lot like this.
Autor: Bruce McCabe
Quelle: Australian IT, 21.02.2006
