All Top Banking

And the Password Is...(Information Card)

Posted by John B. Frank Monday, August 11, 2008

Information Cards (protected by a PIN) look to be a logical replacement to passwords.  Microsoft, Google and Oracle are among the founding members.  So what exactly is an information card?  Here's a brief overview from the Information Card Foundation: (ICF)

Information Cards are the digital, online equivalents of your physical identification credentials such as a drivers license, passport, credit card, club card, business card or a social greeting card. Users control the distribution of their personal information through each Information Card. Information Cards are stored in a user’s own online wallet (called a “selector”) and “handed out” with a mouse click just like a physical ID card.

Information Cards can be issued to users by organizations for general or specific use. Users can also create their own Information Cards as a shortcut to avoid the endless process of filling out web forms. But more importantly, the infastructure behind the cards allows for trusted sources (a bank, a credit union, a government office, etc.) to verify specific information (“claims”) made by a user. In other words, Information Cards give users the ability to make claims about themselves, verified by qualified 3rd parties, while using the Internet.

Here's an excerpt from an article from yesterday's NY Times "Goodbye Passwords You Aren't a Good Defense" talking more about Information Cards:

Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.  In short, we need a log-on system that relies on cryptography, not mnemonics.

As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that’s up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.  And that’s only half the battle: Web site hosts must also be persuaded to adopt information-card technology for sign-ons.

It is the author of the NY Times article that we won’t make much progress on information cards in the near future because of what he calls "wasted energy and attention devoted to a large distraction, the OpenID initiative". OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.

Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.

Kim Cameron, Microsoft’s chief architect of identity, is an enthusiastic advocate of information cards, which are not only vastly more secure than a password-based security system, but are also customizable, permitting users to limit what information is released to particular sites. “I don’t like Single Sign-On,” Mr. Cameron said. “I don’t believe in Single Sign-On.”

Microsoft and Google are among the six founding companies of the Information Card Foundation, formed to promote adoption of the card technology. The presence of PayPal, which is owned by eBay, in the group is the most significant: PayPal, with its direct access to our checking accounts, will naturally be inclined to be conservative. If it becomes convinced that these cards are more secure than passwords, we should listen.

BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.

“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.  The PIN doesn’t return us to the Web password mess: it never leaves our machine and can’t be seen by phishers.

Logging on to a site should entail a cryptographic conversation between machines, saving us from inadvertently giving away the keys.

0 comments

Post a Comment

Powered by Blogger.

Blog Archive

Search This Blog

Our Manufacturing Facility

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

Total Pageviews

SLIM for PC or SmartPhone

SLIM for PC or SmartPhone
Click to Inquire

Chip and PIN eCommerce and Mobile

Chip and PIN eCommerce and Mobile
Click to Inquire

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers

Translate This Blog

BobCaps

Search ePayment News (example: NFC)

About Me

My photo
Named one of the best Payment Industry News Blogs 4 Years Running

Feedjit

My Zimbio