Acknowledging a “security crisis,” Microsoft plans to introduce Infocards that could replace passwords on more than 300 million personal computers by the middle of next year.

Infocards rest on a user’s desktop and represent the user’s digital identity. They can be used as an authentication tool instead of typing in the user name and passwords.

Microsoft said Monday it will release Infocards toward the end of the year and also make them a part of its upcoming Vista operating system, which is scheduled to ship to consumers starting in January.

Infocards could be pushed out to millions of enterprise and home users along with Windows updates that the company sends out frequently in a bid to reduce attacks such as phishing and keylogging that are designed to steal user names and passwords.

“The Internet was designed to be anonymous in its interactions,” said Richard Turner, product manager for Infocard at Microsoft. “But there is a need to introduce an identity layer that is open, inclusive, and standards-based.”

Microsoft has also renamed Infocards as Windows Cardspace and made it a part of its overall .NET Frameworks 3.0 architecture.

Frameworks 3.0 was formerly known as WinFX and now has four components: Windows Presentation Foundation, Windows Communication Foundation, Windows Workflow Foundation, and CardSpace.

Microsoft Chairman Bill Gates spoke about Infocards for the first time at the RSA security conference in February (see Microsoft Wants No Passwords).

Getting Rid of Passwords

“There is an identity crisis online,” said Mr. Turner. “There has been a massive increase in phishing and fraud, and it has become a very real problem.”

Phishing emails lure users into clicking on a fake URL and then entering their user name and password, which are then stolen by scammers. The fear of phishing has driven down consumer confidence on the Internet, according to the research firm Gartner.

More than 42 percent of the 5,000 U.S. adults interviewed by Gartner said their concerns about phishing and other dangers affected their online shopping behavior. Nearly three-quarters were more cautious about where they purchased goods online, and nearly one-third bought fewer items than they otherwise would (see Phishing Hurts Consumer Trust).

That’s where Cardspace or Infocards could make a difference. By just clicking on cards that rest on the desktop, users can authenticate themselves, according to Microsoft.

“Infocard is primarily targeted at the consumer market,” said Andrew Jaquith, a senior analyst for security solutions at Yankee Group. “It’s like having credit cards in a wallet, where the wallet is your desktop.”

Cardspace will not be a Microsoft proprietary architecture. The Redmond giant is working with companies like IBM and Sun to ensure Cardspace is widely adopted, said Mr. Turner. “For Cardspace to work, it has to be cross-platform,” he said.

Cardspace or Infocard may be an exciting idea, but it will be a while before there is widespread adoption, said Mr. Jaquith.

“Infocard has a lot of promise, but it’s not a product, it’s an architecture,” he said. “So it will be successful only if Microsoft can get everyone to buy into their world view.”

Infocards on the Desktop

According to Microsoft’s plan, every user will have a number of Infocards on his or her desktop. Each card will represent a digital identity that the user can potentially present for authentication.

Each card will have a little picture representing the user and will include information that will contribute to a digital identity. Typically the cards will include just the first name, last name, and email address of the individual; or the first name, last name, and date of birth; or the date of birth and the answer to a personal question.

When the user wants to log on to a web site that supports Cardspace, instead of typing in the user name and password, he or she can just click on the right Infocard, which will then be sent to the web site to authenticate the user.

Most cards will be issued by a third party, such as a bank, financial institution, or e-commerce site, and the authentication details will not be stored on the user’s machine.

“The actual data is held and released by the issuing party, and we dynamically obtain it every time the card is used, which protects the information from hackers,” said Mr. Turner.

Analysts said the technology would be much safer than the current system of user names and passwords and is likely to protect more users from phishing attacks, keyloggers, and spyware.

Keychains

Microsoft is not alone in this idea. Already Apple’s Mac computers sport a technology called Keychain that stores all the user’s user names and passwords in a single location as “keys” and presents them as needed.

“Mac has had the Keychain since OS 9, or for about five years now, so Microsoft is just introducing something similar for PC users,” said Mr. Jaquith.

Microsoft said Infocards not only replace user names and passwords, but also complement hardware-based authentication products such as tokens and smart cards.

Contact the writer:PGanapati@RedHerring.com