Microsoft calls for online identity overhaul

The IT industry needs to adopt an identity meta system to overcome existing issues with online identities, Kim Cameron, Microsoft's architect of identity, told delegates at the Digital ID World conference in San Francisco.

In designing such a meta system, Microsoft will unveil an identity service to replace the failed Passport system in a keynote at the conference on 12 May.

The meta system is required because the industry, including Microsoft itself, has failed to create a secure and fail-safe solution for online authentication.

Authentication suffers from an abundance of standards which are not aligned and confuse users. This has created an opportunity for hackers and computer criminals to launch phishing attacks and commit identity theft.

"The ad hoc nature of the internet identity patchwork cannot withstand the ongoing assault of professional attackers," said Cameron.

"What we have done is teach the world to indiscriminately put their credentials and personal identifying information into almost any form that appears on the screen. And then we make fun of them for being subject to phishing [attacks]."

Existing standards like Secure Sockets Layer encrypted pages, the Kerberos authentication protocol or the Liberty Alliance for digital identities are all part of this patchwork.

But the problem, according to Cameron, is that there is no agreement between these standards on the nature of a digital identity, and which scientific laws play a part in digital identity.

"When we do start talking about identify, we always have to go back to this tabula rasa," he said. "I've had people come in with all these proposals about what we need to do with identity, and every time it's back to square one again."

Although the problem may seem daunting, it has been solved before. Cameron pointed to device drivers that have created an abstraction layer between software and the display, so that software developers were not required to know on what display their software would be deployed.

Similarly the rise of TCP/IP allowed programmers to stop worrying about whether they develop software for a computer that used Ethernet, Token Ring or some other networking standard.

Cameron came up with seven laws during an online discussion which dictate whether a online identity technology will succeed or fail.

The laws include users having the right of veto over what technologies they do and do not use, as well as the requirement that a party governing an identity is "justifiable".

The latter caused Microsoft's Passport service to fail as a general online authentication service, but made it successful as a log-in service for Hotmail and MSN Messenger, according to Cameron.

"[Users] want to have a relationship with Microsoft within a context that makes sense to them," he explained. "[Passport] is fine within their relationship with Microsoft, but it's not fine in their relationship with Amazon or eBay."

Cameron also claimed that the Bluetooth wireless technology is wrongly designed because it constantly transmits a signal, turning the owner of a Bluetooth device into a beacon. Radio Frequency ID suffers from the same problems.

A RFID tag in a passport, for instance, could be used by terrorists to identify an American citizen.

"RFID is fine for a can of beans, but it's not suitable to be impregnated into our children," he said. "We have designed all this technology in a very naive way."

Cameron promised to publish an overview of his seven laws on his Identity Weblog, although the list had not been posted at the time of going to press.

John Shewchuck, chief technology officer for distributed systems at Microsoft, will unveil the company's plans for the next generation of digital identity in a keynote presentation on 12 May.

Part of the proposal is a structure where individuals can use multiple identity sets, each containing different information and having different privacy risks and characteristics. It will be up to the user to decide which set he chooses to hand out.

Microsoft declined to provide any additional details about its plans prior to Thursday's keynote.