From Username & Password to "InfoCard" Richard Turner "InfoCard" Product Manager Microsoft Corporation Garrett Serack Program Manager Microsoft Corporation

Agenda Internet Identity Crisis "InfoCard" Overview Implementation The Identity Metasystem Getting "InfoCard"

Internet Identity Crisis

"InfoCard" Overview

Implementation

The Identity Metasystem

Getting "InfoCard"

The Imperative to Connect Suppliers & Partners Businesses Employees Friends & Family Consumers

Who Are You?

The Internet Identity Crisis Phishing & Phraud Password fatigue Inconsistent, proprietary identification mechanisms Lack of Identity Online

Phishing & Phraud

Password fatigue

Inconsistent, proprietary identification mechanisms

Phishing & Phraud New Phishing Sites by Month December 2004 – December 2005 Source: http://www.antiphishing.org Dec 04 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 05 7,197 4,630 4,367 5,242 5,259 4,564 4,280 3,326 2,854 2,870 2,625 2,560 1,707

New Phishing Sites by Month

December 2004 – December 2005

Password Fatigue

"InfoCard" Consistent user experience Helps eliminate unames and passwords Helps protect users from many forms of phishing & phraud attack Support for two-factor authentication Easier Safer Built on WS-* Web Services Protocols

Consistent user experience

Helps eliminate unames and passwords

Helps protect users from many forms of phishing & phraud attack

Support for two-factor authentication

"InfoCard" cards Stored locally Assertions about me Not corroborated Provided by banks, government, clubs, etc Stored at STS Metadata only Richard’s Card Woodgrove Bank

Stored locally

Assertions about me

Not corroborated

Provided by banks, government, clubs, etc

Stored at STS

Metadata only

Private Desktop Runs under separate desktop and restricted account Isolates "InfoCard" from Windows desktop Deters hacking attempts by user-mode processes

Runs under separate desktop and restricted account

Isolates "InfoCard" from Windows desktop

Deters hacking attempts by user-mode processes

Contoso Car Rental

Participants Relying Party (website) User Identity Provider

Login with Self Issued Card Relying Party (website) User Object Tag Login

Select Self Issued Card Relying Party (website) User

Create Token from Card Relying Party (website) User

Sign, Encrypt & Send Token Relying Party (website) User

Login with Managed Card Relying Party (website) User Object Tag Identity Provider Login

Select Managed Card Relying Party (website) User Identity Provider

Request Security Token Relying Party (website) User Auth’: X509, Kerb, SIC, U/PWD … Identity Provider

Create Token from Card Relying Party (website) User Identity Provider

Sign, Encrypt & Send Token Relying Party (website) User Identity Provider

The Identity Metasystem Identity layer for the Internet Open, inclusive, standards-based model Built upon “The Laws of Identity” "InfoCard" is a client agent within the IDMS

Identity layer for the Internet

Building A Relying Party

Integrating with “InfoCard” Four key tasks: Update the database Create an association page Update the sign in page Update the registration page

Four key tasks:

Update the database

Create an association page

Update the sign in page

Update the registration page

1. Associate a user with a card CREATE PROCEDURE aspnet_infocard_associate (@UserId nvarchar(256), @card nvarchar (50) ) AS ... CREATE PROCEDURE aspnet_infocard_lookup (@card nvarchar (50) ) AS ...

2a. Create an association page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Update account with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->

2b. Create an association page public partial class Associate_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { // check if an xmlToken is posted string xmlToken = Request[ &quot;xmlToken&quot; ]; if (xmlToken != null ) { TokenHelper tokenHelper = new TokenHelper (xmlToken); // get the unique id string uniqueID = tokenHelper.getUniqueID(); if (uniqueID != null && uniqueID != &quot;&quot; ) { //store it with the account. MembershipUser user = Membership .GetUser(); MembershipHelper .AssociateUser( user.UserName, uniqueID ); } } } }

3a. Update the sign in page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Sign in with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->

3b. Update the sign in page public partial class Login_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { string xmlToken = Request[ &quot;xmlToken&quot; ]; TokenHelper tokenHelper = new TokenHelper (xmlToken); // Lookup the account using the uniqueId string username = MembershipHelper .GetUser( tokenHelper.getUniqueID()); if (username != null ) { MembershipUser user = Membership .GetUser(username); // give the cookie back to the browser. FormsAuthentication .SetLoginCookie(user.UserName, false ); } } }

4a. Update the registration page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Register with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->

4b. Update the registration page // ... string xmlToken = Request[ &quot;xmlToken&quot; ]; TokenHelper tokenHelper = new TokenHelper (xmlToken); string uniqueId = tokenHelper.getUniqueID(); string emailAddress = tokenHelper.GetClaim( “ http://schemas.../emailaddress ”); string username = tokenHelper.GetClaim( “ http://schemas.../givenname ”); if (username != null ) { MembershipUser user = CreateUser( name , emailAddress ,... ); MembershipHelper .AssociateUser( user.UserName, uniqueID ); } // ...

Summary

WinFX: .NET to the core

Getting WinFX & &quot;InfoCard&quot; Built in to Windows Vista Also available for Windows XP & Windows Server 2003 CTPs available today Beta 2 coming RTM 2nd half 2006 Q2 Q3 Q1 2006 Q2 Q4 Q1 2005 Q3 Q4 B1 CTP V1 RTM

Built in to Windows Vista

Also available for Windows XP & Windows Server 2003

CTPs available today

Beta 2 coming

RTM 2nd half 2006

&quot;InfoCard&quot; Summary Labs available in the MIX Sandbox! Consistent authentication for digital identities Reduces chances of being phished Adopting takes little developer effort

© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.