Papers, Please!

Category : Microsoft, WinFX
Date : May 4, 2006

IDOpportunities abound for improving our experience on the web today.  Nowhere is this more obvious than in the area of how we identify ourselves.  We’re improving on that dramatically but we need your help to ensure that consumers on the web get the full benefit.

Usernames Suck

We’ve grown so used to identifying ourselves on the Internet that we often don’t give it a second thought.  And yet, from a security standpoint the typical method of doing that, the ubiquitous username and password, is just not that good.  Criminals and ne’er-do-wells of all kinds have figured out that they can make a lot of money or cause a lot of havoc by scamming folks into handing over their identities.  The reality is that usernames and passwords benefit the sites we’re logging into but are not really doing much to help us, the consumers.  We need a way for sites to clearly and securely identify themselves to us when we visit.  How do you know that you’re really at your bank’s site if anybody can set up a site that looks exactly like it in minutes?

Passwords Suck

On the Internet we are asked to identify ourselves seemingly at every turn.  It’s only natural, I suppose, that as we’ve gone from a web where we were just browsing to one where we are shopping, banking or  part of a community the need to identify ourselves is important.  But as a consumer why do I have to explicitly identify myself at every site I visit.  On my PC, I don’t do that.  For the most part, I only do it once when I log on.  Imagine if I had to identify myself every time I opened Outlook, or Excel or Word.  I’d go nuts.  Or even worse, imagine if, on top of that, for every application where I did have to identify myself I was forced to have a different username and password.  And yet, the reality of the web today is that the vast majority of sites require a username and password and many sites have different policies for what is a valid username and password.  Sorry, I know you can use an underscore over there but we don’t allow that. Hmmm, I know they allow you to use your daughters name but we need you to include upper and lowercase letters.  Oops, yeah, we know you don’t do it over there but we require digits and special characters.  Yes, yes, nice password but our site requires it to be 8 characters long.  What a pain!  Heaven forbid you should forget your password cause then you have to go through another painful experience of getting it reset… and of course picking another password that you’ll also soon forget.  Newspaper sites are among the worst for this.  I can understand how they might want demographic data so they can charge more for the ads on their site but there has got to be a better way. 

Does all this really make us more secure?  It may have for a while but as the burden of security has fallen on the shoulders of the consumer, the consumer has naturally adapted to find ways to avoid this pain.  Where we used to pick passwords that we could easily remember;  we now have spreadsheets with the lists of the sometimes hundreds of passwords we need to remember.  I, personally, have an app that runs on my PC  that helps me track my passwords.  I suspect most folks have scraps of paper all over there desks or sticky notes all around their screens with their usernames and passwords scribbled where they (and anyone who walks by) can get to them quickly.  There are even applications springing up that bypass the annoying compulsory registration pages that don’t give me any benefit.

Hailstorm Sucked

Why do we go have to through this?  I understand the reasons for identification and the importance.  The question is why do we have such a horrid experience for it.  We have solved this type of problem before.  At Microsoft, for instance, when I log into our network, I do it once and that gives me access to a myriad of applications, both internal (e.g. expense reports) and external (e.g. booking travel).  Those who have been paying attention to this space know that we tried to take a similar approach to trying to fix the identity problem on the Internet.  It was a little project named Hailstorm.  For a lot of reasons it was doomed from the start.  A big reason is that we stored all the user data on Microsoft servers in Microsoft data centers.  Most folks liked that we were trying to solve the problem, but owning the data… not so much…

InfoCard Doesn’t Suck

As bad as it was, we learned a lot from that experience.  Like, for instance, what not to do:  Don’t grab users’ personal information, Don’t try to control the identity system, and Don’t try to get in the middle of every identity transaction, etc.  With all that in mind and the painful reality that the problem is getting worse not better, we’ve been designing a new solution to this problem.  That solution, code-named InfoCard, goes a long way toward making presenting and verifying identity on the Internet as easy as the browser has made navigating the web.  That means a lot of good things like:  Giving the user full control over where information is stored and what information is disclosed to who,  Working directly with the many other existing point solutions to increase their reach, and Staying out of the way when users are trying to talk directly to their content or service providers.

The only way InfoCard is going to help solve this problem is if we work with all the other players in this space and keep the user front and center.  So what do you think?  Does managing your own digital identities sound like heaven?  Is using open industry standards a good thing?  Is promoting interoperability between identity providers and the sites that rely on them something you can get behind?