BBC Home
Explore the BBC
BBC News
Launch consoleBBC NEWS CHANNEL
Last Updated: Monday, 20 February 2006, 11:10 GMT
Who does the net think you are?
Bill Gates, AP
Microsoft wants to change passwords for something better
As Microsoft reveals its new plans for online identity, technology commentator Bill Thompson wonders how to prove who he really is.

Bill Gates thinks that passwords are a bad idea, and looks forward to a world where we can do without them.

He would much rather we all used digital certificates managed through the InfoCard system in Windows Vista.

Speaking at the RSA Security conference last week, Mr Gates admitted that Microsoft has "an overly complex system today", and promised a simpler, easier and safer model for future Windows users.

It's a compelling vision, and since I've argued repeatedly that we need to deal with the problem of how we tie our real-world identities to our online activities, I have to support Microsoft's new-found interest in the issue.

What it is proposing is certainly a much better plan than its first attempt to do something about online credentials.

Proof positive

The Passport service, launched in 1999, was supposed to let websites and web services verify user identities.

It was an expensive failure, largely because nobody was willing to trust Microsoft as the intermediary at a time when the company's reputation for security was being undermined by regular reports of software flaws and compromised systems.

Although Passport is now consigned to the backwaters of checking Hotmail and Messenger logins, we should not underestimate Microsoft's ability to learn from its mistakes.

The company has a habit of entering a market with a poorly-designed offering, failing badly and then learning the lessons from those who eventually succeed.

Bill Thompson
It is frighteningly easy to pretend to be someone else, and although it would be possible to work out that a posting signed "bill thompson" was not really from me, it could cause problems at work or in a relationship.
Bill Thompson
Look at the television market, where Microsoft's first attempt to persuade cable companies to run Windows on their set-top boxes was firmly rebuffed. Nearly 10 years later it is back with IPTV and signing up partners around the world.

When it comes to online identity, it's clear that Microsoft has looked closely at the work of the Liberty Alliance, an industry consortium that has been struggling for years to persuade users and service providers that digital identity is a serious problem.

Their approach is based on what they call a "federated identity". Each organisation I deal with, whether it's a bank or a bookseller or a government department, keeps its own data, but once one of them knows who I am then the others will accept that identity.

So I can log on to my bank using a secure smartcard and then buy books without needing a password. What's more, I don't need to rely on one company to provide security software or authentication services, as long as they all agree to use the same standards.

Federated identity is a sensible way to solve the problems of linking real-world and digital identity, and the open approach advocated by the Liberty Alliance has already received support from major companies like General Motors and Japan Airlines, among others.

Standard issue

We should not be surprised to learn, given Microsoft's new-found interest in the area, that last November the Liberty Alliance announced a project to make better use of smartcards, tokens and other alternatives to passwords for authentication, making many of the arguments used last week by Bill Gates.

The work being done by its Strong Authentication Expert Group is already well advanced, yet strangely enough Microsoft has chosen to build its InfoCards around a different set of Web security standards so the two approaches will not work seamlessly together.

British passports, BBC
Offline official documents help confirm identity
And it's pretty likely that while Microsoft will fully embrace the standard it has chosen, the Web Services Trust Language (WS-Trust), it will also extend it in ways that will make it more convenient for those who use pure Microsoft solutions than those who prefer to "mix and match" operating systems and software.

You don't always need military-strength encryption, digital certificates that have been approved by a notary public or a federated identity infrastructure for online security.

Since October Lloyds TSB have been trying out a token-based system which uses a key ring-sized device to generate a six-digit code that has to be entered as well as a password. Similar systems are already used by many companies, including the BBC, to control remote access to their networks.

Is that me?

But whatever the chosen technology, we urgently need to do something about the problem of online identity, and not just so that we can bank safely or buy even more consumer goods.

One area that has achieved too little attention is the growing use of comments in blogs and news pages. Many blogs will let you post comments under any name you like, since all they try to check is that you are a real person rather than a spam-posting piece of software.

Even reputable news sites often only check that the e-mail address you have given is valid, but make no effort at all to verify that you are who you claim to be online.

As a result it is frighteningly easy to pretend to be someone else, and although it would be possible to work out that a posting signed "bill thompson" was not really from me, it could cause problems at work or in a relationship.

While it isn't surprising to see Microsoft and other players manoeuvring around each other, it is worrying to think that this vitally important area will be compromised for the sake of corporate advantage.

We urgently need a better solution to the problem of online identity, and it should be one area where the companies involved recognise that working together will benefit them all, even if it does mean having to give way to your rivals or conform to standards that you didn't write.

For one thing, in a secure world there should be a lot more business for everyone as we all feel safer online.

Bill Thompson is a regular commentator on the BBC World Service programme Go Digital

How you can protect against online identity theft

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific