Posted 11:56 AM (1) comments

InfoCard Info

Johannes Ernst (a.k.a. Mr. LID) rolled out an explanation of Microsoft's new "Infocard" in anser to his own question What is Microsoft InfoCard?

The explanation is a good, if somewhat convoluted, one. But could be simplified.

InfoCard is simply Novell's old DigitalME decentralized (as Novell's personal directory intended it to be) and hopped up on Web Services SOA.

In many ways, it could also be described as Passport without the Big Brother implications of "Hailstorm", hopped up on SOA.

The important thing to remember, I think, is that there's nothing new here except the joining together of the personal directory with the panoply of specs and protocols that make up Service Oriented Architectures. That's no small accomplishment, of course, especially for a company as vilified for it's security and privacy policies as Microsoft is.

Posted 1:47 PM (0) comments

I'll show you mine if you'll show me yours

Sun and Microsoft announced today new specifications for creating interoperable Web Single SignOn between sites supporting the Liberty Alliance's ID-FF architecture and those supporting the Microsoft, IBM, Verisign, etc. WS-Federation spec.

The really big thing, though, was that they trotted out Steve Ballmer and Scott McNealy for a special press conference to do this. They could have shipped a press release on Monday, and had their IdM people talk about it at Digital ID World (they were all there) and it would have still been a very important, well received announcement. But getting the two CEOs to do the dog & pony show raises the visibility to a whole new level as we could tell from some of the inane questions (along the lines of "what is Identity Management?" expect sidebars in Sunday's paper) from some of the general press.

Posted 6:15 PM (2) comments

Multi-factor authentication

I moderated a panel at Digital ID World yesterday about strong, token-based authentication. It was billed as a "great debate" between RSA (with it's proprietary one-time password (OTP) algorithm) versus the work of the Initiative for Open Authentication (OATH). Much verbiage was spent on which would best drive user's (i.e., joe sixpack's) use of hardware tokens for strong authentication.

But no sooner was I back from the show and into my inbox pops a press release from VASCO, announcing the launch of Digipass for Java phones. Suddenly every Java-enabled cell phone can be the equivalent of RSA's SecureID product. It's a neat play, and doesn't require you to find a way to carry any additional hardware.

The Digipass solution uses a Java app on the phone to generate the OTP. But couldn't we get even stronger authentication (2.5 to 3 factors) by having the server call the phone and seed the OTP generator each time a new OTP was required? Or would that, somehow, be weaker? I'll need to think on that a bit.