From "Username and Password" to InfoCard

From Username & Password to "InfoCard"

Richard Turner"InfoCard" Product Manager

Microsoft Corporation

Garrett SerackProgram Manager

Microsoft Corporation

AgendaAgenda

Internet Identity CrisisInternet Identity Crisis

"InfoCard" Overview"InfoCard" Overview

Implementation Implementation

The Identity MetasystemThe Identity Metasystem

Getting "InfoCard"Getting "InfoCard"

Suppliers & Partners

Businesses

Employees

Friends & Family

Consumers

Who Are You?Who Are You?

The Internet Identity CrisisThe Internet Identity Crisis

Phishing & PhraudPhishing & Phraud

Password fatiguePassword fatigue

Inconsistent, proprietary identification Inconsistent, proprietary identification mechanismsmechanisms

Lack of Identity OnlineLack of Identity Online

Phishing & PhraudPhishing & Phraud

New Phishing Sites by MonthNew Phishing Sites by Month

December 2004 – December 2005December 2004 – December 2005

Dec04

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec05

7,197

4,6304,367

5,2425,2594,564

4,280

3,3262,8542,870

2,6252,560

1,707

Source: http://www.antiphishing.org

http://www.antiphishing.org/

http://www.antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf

Password FatiguePassword Fatigue

"InfoCard""InfoCard"

Consistent Consistent user user experienceexperience

Helps Helps eliminate eliminate unames and unames and passwordspasswords

Helps protect Helps protect users from users from many forms of many forms of phishing & phishing & phraud attackphraud attack

Support for Support for two-factor two-factor authenticationauthentication

Easier Safer

Built on WS-* Web Services Protocols

"InfoCard" cards"InfoCard" cards

Stored locallyStored locally

Assertions about meAssertions about me

Not corroboratedNot corroborated

Provided by banks, Provided by banks, government, clubs, government, clubs, etcetc

Stored at STSStored at STS

Metadata onlyMetadata only

Richard’s Card Woodgrove Bank

Private DesktopPrivate Desktop

Runs under separate Runs under separate desktop and desktop and restricted accountrestricted account

Isolates "InfoCard" Isolates "InfoCard" from Windows from Windows desktopdesktop

Deters hacking Deters hacking attempts by user-attempts by user-mode processesmode processes

Contoso Car Contoso Car RentalRental

ParticipantsParticipants

Relying Party (website)Identity Provider

User

Object Tag

Login with Self Issued CardLogin with Self Issued Card

Relying Party (website)

User

Login

Select Self Issued CardSelect Self Issued Card


User

Create Token from CardCreate Token from Card


User

Sign, Encrypt & Send TokenSign, Encrypt & Send Token


User

Object Tag

Login with Managed CardLogin with Managed Card


User

Login

Select Managed CardSelect Managed Card


User

Request Security TokenRequest Security Token


User

Auth’:X509, Kerb, SIC, U/PWD…

Create Token from CardCreate Token from Card


User

Sign, Encrypt & Send TokenSign, Encrypt & Send Token


User

The Identity MetasystemThe Identity Metasystem

Identity layer for the InternetIdentity layer for the Internet

Open, inclusive, standards-based modelOpen, inclusive, standards-based model

Built upon “The Laws of Identity”Built upon “The Laws of Identity”

"InfoCard" is a client agent within the IDMS"InfoCard" is a client agent within the IDMS

Building A Building A Relying PartyRelying Party

Integrating with “InfoCard”Integrating with “InfoCard”

Four key tasks:Four key tasks:1.1. Update the databaseUpdate the database

2.2. Create an association pageCreate an association page

3.3. Update the sign in pageUpdate the sign in page

4.4. Update the registration pageUpdate the registration page

1. Associate a user with a card1. Associate a user with a card

CREATE PROCEDURECREATE PROCEDURE aspnet_infocard_associate aspnet_infocard_associate (@UserId nvarchar(256), @card (@UserId nvarchar(256), @card nvarcharnvarchar(50) )(50) ) ASAS ......

CREATE PROCEDURECREATE PROCEDURE aspnet_infocard_lookup aspnet_infocard_lookup (@card (@card nvarcharnvarchar(50) )(50) ) ASAS ......

2a. Create an association page2a. Create an association page

 <<buttonbutton onclickonclick="javascript:return infocardlogin.submit();">="javascript:return infocardlogin.submit();"> Update account with your Information CardUpdate account with your Information Card </</buttonbutton>>

<<formform namename="infocardlogin"="infocardlogin" targettarget="_self"="_self" methodmethod="post">="post"> <<objectobject typetype="application/x-informationcard"="application/x-informationcard" namename="xmlToken">="xmlToken"> <<paramparam namename="tokenType"="tokenType" valuevalue="urn:oasis:names:tc:SAML:1.0:assertion">="urn:oasis:names:tc:SAML:1.0:assertion"> <<paramparam namename="issuer“ ="issuer“ valuevalue="http://schemas..../identity/issuer/self">="http://schemas..../identity/issuer/self"> <<paramparam namename="requiredClaims"="requiredClaims" valuevalue="http://.../claims/givenname,="http://.../claims/givenname, http://.../claims/surname,http://.../claims/surname, http://../claims/emailaddress, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier">http://.../claims/privatepersonalidentifier"> </</objectobject>> </</formform>>

2b. Create an association page2b. Create an association page

publicpublic partialpartial classclass Associate_aspxAssociate_aspx : System.Web.UI. : System.Web.UI.PagePage{{ protectedprotected voidvoid Page_Load( Page_Load(objectobject sender, sender, EventArgsEventArgs e) e) {{ // check if an xmlToken is posted// check if an xmlToken is posted stringstring xmlToken = Request[ xmlToken = Request["xmlToken""xmlToken"];]; ifif (xmlToken != (xmlToken != nullnull) {) {

TokenHelperTokenHelper tokenHelper = tokenHelper = newnew TokenHelperTokenHelper(xmlToken);(xmlToken); // get the unique id// get the unique id stringstring uniqueID = tokenHelper.getUniqueID(); uniqueID = tokenHelper.getUniqueID(); ifif (uniqueID != (uniqueID != nullnull && uniqueID != && uniqueID != """")) {{ //store it with the account.//store it with the account. MembershipUserMembershipUser user = user = MembershipMembership.GetUser();.GetUser(); MembershipHelperMembershipHelper.AssociateUser(.AssociateUser(

user.UserName, uniqueID );user.UserName, uniqueID ); }} }} }}}}

3a. Update the sign in page3a. Update the sign in page

 <<buttonbutton onclickonclick="javascript:return infocardlogin.submit();">="javascript:return infocardlogin.submit();"> Sign in with your Information CardSign in with your Information Card </</buttonbutton>>


3b. Update the sign in page3b. Update the sign in page

publicpublic partialpartial classclass Login_aspxLogin_aspx : System.Web.UI. : System.Web.UI.PagePage{{ protectedprotected voidvoid Page_Load( Page_Load(objectobject sender, sender, EventArgsEventArgs e) e) {{ stringstring xmlToken = Request[ xmlToken = Request["xmlToken""xmlToken"];];

TokenHelperTokenHelper tokenHelper = tokenHelper = newnew TokenHelperTokenHelper(xmlToken);(xmlToken);

// Lookup the account using the uniqueId// Lookup the account using the uniqueId stringstring username = username = MembershipHelperMembershipHelper.GetUser(.GetUser( tokenHelper.getUniqueID());tokenHelper.getUniqueID()); ifif (username != (username != nullnull) {) { MembershipUserMembershipUser user = user = MembershipMembership.GetUser(username);.GetUser(username);

// give the cookie back to the browser.// give the cookie back to the browser. FormsAuthenticationFormsAuthentication.SetLoginCookie(user.UserName, .SetLoginCookie(user.UserName, falsefalse);); }} } } }}

4a. Update the registration page4a. Update the registration page

 <<buttonbutton onclickonclick="javascript:return infocardlogin.submit();">="javascript:return infocardlogin.submit();"> Register with your Information CardRegister with your Information Card </</buttonbutton>>


4b. Update the registration page4b. Update the registration page

// ...// ...

stringstring xmlToken = Request[ xmlToken = Request["xmlToken""xmlToken"];]; TokenHelperTokenHelper tokenHelper = tokenHelper = newnew TokenHelperTokenHelper(xmlToken);(xmlToken);

stringstring uniqueId = tokenHelper.getUniqueID(); uniqueId = tokenHelper.getUniqueID(); stringstring emailAddress = tokenHelper.GetClaim( emailAddress = tokenHelper.GetClaim( “ “http://schemas.../emailaddresshttp://schemas.../emailaddress”);”); stringstring username = tokenHelper.GetClaim( username = tokenHelper.GetClaim( “ “http://schemas.../givennamehttp://schemas.../givenname”);”);

ifif (username != (username != nullnull) {) { MembershipUser MembershipUser user = CreateUser( name , emailAddress ,... );user = CreateUser( name , emailAddress ,... ); MembershipHelperMembershipHelper.AssociateUser( user.UserName, uniqueID );.AssociateUser( user.UserName, uniqueID ); }}

// ...// ...

SummarySummary

WinFX: .NET to the coreWinFX: .NET to the core

Getting WinFX & "InfoCard"Getting WinFX & "InfoCard"

Built in to Windows VistaBuilt in to Windows Vista

Also available for Windows XP & Windows Server Also available for Windows XP & Windows Server 20032003

CTPs available today CTPs available today

Beta 2 comingBeta 2 coming

RTM 2nd half 2006RTM 2nd half 2006

Q2 Q3 Q12006

Q2Q4Q12005

Q3 Q4

B1 CTPV1

RTM

"InfoCard" Summary"InfoCard" Summary

Labs available in the MIX Sandbox!Labs available in the MIX Sandbox!

Consistent authentication for digital identities

Reduces chances of being phished

Adopting takes little developer effort

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Technology

From "Username and Password" to InfoCard