Information Cards for High Assurance Consumer Authentication
Information
Cards are an electronic version of the identity and payment cards we
carry around in the physical world. Information Cards are
described more fully in Microsoft's vision of an Identity Metasystem.
Essentially the Identity Metasystem consists of three main components:
- a Relying Party component that enables a service provider who provides an identity-related service to rely on an identity assertion, or "claim", about someone (the "subject") seeking the service;
- a "security token service" (STS) component that allows an Identity Provider to issue electronic "tokens" containing the identity claims about the subject, and
- a "selector" component on the subject's computer that presents to him or her with a set of Information Cards to choose from, in accordance with the policies designated by the Relying Party. The Information Card chosen specifies the identity claim information that the Identity Provider will verify by means of the token.
Microsof't particular version of the Identity Metasystem, formerly called Geneva, is described here. A good description of "Geneva" can also be found here. However, open source versions of the Identity Metasystem are also available, most notably Higgins.
Information Cards come in two "flavors": managed cards, and self-issued cards.
- Managed cards are issued by Identity Providers who are trusted by Relying Parties to issue true claims on behalf of the subject.
- Self-issued cards are created by the subject and therefore any identity claim information they provide to Relying Parties cannot be verified by a trusted Identity Provider.
In a nutshell, the identity metasystem works as follows to deliver identity claims to a relying party:
- The subject visits the website of a service provider to request an identity-dependent service. Since the service provider will rely on an identity claim issued by an Identity Provider, the service provider is also known as a relying party.
- The Relying Party sends a message to the subject's identity selector (on the subject's computer) that contains criteria (called a "policy") for the types of claims it will accept about the subject, including information that allows the selector to determine which Identity Providers are trusted by the Relying Party.
- The identity selector determines whether it holds any Information Cards that can satisfy the Relying Party's policy for identity claims. If so, the corresponding Information Cards are highlighted in the subject's browser. The subject selects a highlighted Information Card.
- The selector triggers a request message to be sent to the corresponding Identity Provider to generate a token containing the identity claim.
- The STS generates a token carrying the claims, which is passed through the subject's computer and back to the Relying Party.
- In the case of managed Information Cards, the subject must authenticate to the Identity Provider to provide assurance that the claims carried by the token actually pertain to the subject.
Electronic tokens issued by Identity Providers in response to a request originating with a managed Information Card are digitally signed, so that the Relying Party can verify the entity that issued the token. Tokens issued in conjunction with self-issued Information Cards may or may not be signed by the "internal" secure token service that is part of the subject's own computer system.
How Can Information Cards Help Prevent Identity Fraud?
The use of Information Cards by consumers could potentially mitigate against identity fraud as follow:
- A
managed Information Card could be used for online credit card payments
by acting as a delivery vehicle for single use / one-time credt
card numbers. The use of Information Cards would presumably be
easier to use and less cumbersome than current methods of generating
single use numbers.
- A self-issued Information Card could be used for authentication to an online banking account. A self-issued card would be sufficient, since it would not be necessary to use a trusted third party to provide verified identity claims each time the account is accessed. If the same Information Card that was initially created and "bound" to the account during enrollment is used for subsequent account access, unauthorized persons would be unable to access the account unless they were able to somehow access the Information Card and also knew the PIN for unlocking the card. The self-issued Information Card could act as a "something you have" authentication factor in a multifactor authentication scheme.
- The same self-issued Information Card used for online banking access would also protect against fraudulent payments from the user's checking account, if new payment options such as Secure Vault Payments are used. This is because authentication to online banking would be accepted as authorization to make payments from a checking account linked to online banking.
- A self-issued Information Card could also be used for authentication to an online payment service, if the payment service can initially bind the self-issued card to an authorized user of the account.
- A managed Information Card issued by a trusted party such as a bank or motor vehicle bureau, and that can serve to provide verified identity claims on the basis of identity attributes such as name, address, birthdate, Social Security Number, etc., could be used to verify the identity of someone seeking to establish a new credit account, or a new relationship, with a service provider.
- A managed Information Card issued by a credit reporting agency (credit bureau) could allow a consumer to authenticate to the credit bureau and authorize release of his/her credit file to a credit grantor.
- An Information Card (managed or self-issued) could be used as an electronic version of a medical insurance card, or other form of identification used for medical purposes. Such an Information Card might be used for online access to medical records.