RSA: Microsoft Pushes 'Geneva' In War On Passwords

A year after Microsoft chief research and strategy officer Craig Mundie urged the technology industry to come together to create a more trustworthy Internet, the company's vision of End to End Trust is starting to take shape.

At the RSA Conference this year, Scott Charney, Microsoft's corporate VP of Trustworthy Computing, plans to deliver a progress report on his company's campaign to move beyond the password as a means of authentication.

Microsoft's End to End Trust plan calls for hardware, operating system, data, and people to operate as a trusted stack, one that allows easy authentication, without the weaknesses of passwords or the risk of personal information disclosure.

Passwords are secrets that must be shared. And that's not an ideal situation. "The problem with shared secrets is they really aren't secret," explained Brendon Lynch, director of privacy strategy at Microsoft. "If the cybercriminals can get a hold of those, and they're doing so ... they can go and reuse those credentials."

Microsoft's alternative is a technology called CardSpace, introduced in Windows Vista, which allows identity claims to be mediated by digital tokens, a scheme that fosters privacy, even as it enhances security, because it obviates the need to share personal information.

The technology hasn't been widely adopted, in part because the back end has been missing. That changed in November when Microsoft delivered a beta version of Geneva, formerly known as Zermatt.

Microsoft calls Geneva "a claims-based access platform." It is, in other words, a framework for granting people access to information. It provides tools for granting access in conjunction with privacy protections and policy rules.

Geneva encompasses authentication services, federation services, and access policy control.

"It is a platform that simplifies access [to applications] and provides security-enhanced access," said Doug Leland, general manager of Microsoft's identity and security division. "In today's world where increasingly there's a desire for organizations to collaborate and transact with other business partners ... there is a necessity to do that in a secure fashion."

Geneva includes a framework for building .Net applications that weigh digital token "claims" to make access decisions, a server-based digital token service, and Windows CardSpace as a graphic interface that presents access decisions to users.

Perhaps most noteworthy about Microsoft's campaign to replace the password is that it isn't proposing a proprietary authentication system, as it did with HailStorm. Though Windows CardSpace is specific to Windows, the concept of Information Cards is supported by companies like Google, Oracle, Novell, and PayPal.

"The model is open, the specifications are published, and it's interoperable," said Leland. "Geneva is supporting SAML 2.0, put forth by the Liberty group. And we're working actively with industry partners to make sure it's supported on Window and non-Windows platforms."

Lynch asserted that ongoing security issues online make it clear that password protection isn't enough anymore. "Identity theft and phishing attacks are continuing to rise, along with malware and botnets," he said. "There are also more and more uses of the Internet which are sensitive, like health information. Public awareness of risks is higher. Data breaches are continuing to accelerate. The potential for confidence in the Internet to be shaken is increasing."

At the same time, moving past the password isn't easy because old habits die hard. "Part of the challenge of moving on from passwords is that people really understand passwords," said Leland. "When you're talking about over a billion PC or Windows users across the planet, you have a pretty large installed base that's pretty attuned to a model of authentication."

There is a downside, however. "There's a downside only to the mass marketing infrastructure out there that's benefiting from the model we have today, which is that people are sharing too much information and other people are benefiting from that information," explained Leland.

The system that Microsoft aims to implement is different. Access claims are arbitrated by digital tokens, which mean that users won't necessarily need to supply Web sites with personal information to conduct transactions. "It puts the ownership of identity in the right place and makes you decide who you share it with," said Leland, "which actually opens up a whole new set of interesting business models."

"I should be able to sell the ability to market to me," Leland elaborated. "Not somebody else."

Leland acknowledged that Microsoft doesn't have any such personal information market planned, so it remains to be seen whether users really want to act as their own information brokers and whether Web sites really want to operate without demanding too much information from users.

But "a new model for monetizing information about people," as Leland described it, sounds promising.

InformationWeek Analytics has published an independent analysis on the current state of security. Download the report here (registration required).