RSA: Microsoft Pushes 'Geneva' In War On Passwords

Formerly known as Zermatt, the claims-based access platform is a framework for granting people access to information.
Perhaps most noteworthy about Microsoft's campaign to replace the password is that it isn't proposing a proprietary authentication system, as it did with HailStorm. Though Windows CardSpace is specific to Windows, the concept of Information Cards is supported by companies like Google, Oracle, Novell, and PayPal.

"The model is open, the specifications are published, and it's interoperable," said Leland. "Geneva is supporting SAML 2.0, put forth by the Liberty group. And we're working actively with industry partners to make sure it's supported on Window and non-Windows platforms."

Lynch asserted that ongoing security issues online make it clear that password protection isn't enough anymore. "Identity theft and phishing attacks are continuing to rise, along with malware and botnets," he said. "There are also more and more uses of the Internet which are sensitive, like health information. Public awareness of risks is higher. Data breaches are continuing to accelerate. The potential for confidence in the Internet to be shaken is increasing."

At the same time, moving past the password isn't easy because old habits die hard. "Part of the challenge of moving on from passwords is that people really understand passwords," said Leland. "When you're talking about over a billion PC or Windows users across the planet, you have a pretty large installed base that's pretty attuned to a model of authentication."

There is a downside, however. "There's a downside only to the mass marketing infrastructure out there that's benefiting from the model we have today, which is that people are sharing too much information and other people are benefiting from that information," explained Leland.

The system that Microsoft aims to implement is different. Access claims are arbitrated by digital tokens, which mean that users won't necessarily need to supply Web sites with personal information to conduct transactions. "It puts the ownership of identity in the right place and makes you decide who you share it with," said Leland, "which actually opens up a whole new set of interesting business models."

"I should be able to sell the ability to market to me," Leland elaborated. "Not somebody else."

Leland acknowledged that Microsoft doesn't have any such personal information market planned, so it remains to be seen whether users really want to act as their own information brokers and whether Web sites really want to operate without demanding too much information from users.

But "a new model for monetizing information about people," as Leland described it, sounds promising.

InformationWeek Analytics has published an independent analysis on the current state of security. Download the report here (registration required).