Verifying Your Identity Online

Posted by Jules Cohen
Director, Trustworthy Computing

This week I travelled to Washington, D.C. for the International Association of Privacy Professionals (IAPP) Global Privacy Summit. The event is a great opportunity for members of the global privacy community to connect, debate the pressing privacy issues of the day and look ahead to future challenges.

Scott Charney, the leader of Microsoft’s Trustworthy Computing group, delivered today’s keynote address focused on our End to End Trust vision for a safer, more trusted Internet. He spoke to progress we’ve made towards fulfilling that vision, how it applies to evolving computing models and what we need to do to continue moving forward.  Scott also noted that a crucial part of the challenge is bringing public and private parties together to address challenges of trust and privacy in the online identity management space.

Indeed, online identity management is a topic that is receiving considerable focus and discussion in privacy circles these days.

In the context of citizen and consumer protection, the promise of online identity management is essentially the same as the promise of identity management in the physical or “real” world.

In the physical world, when you need to prove your identity to access a particular good or service, you typically pull out the appropriate ID from your wallet. Depending on the context, this might be a driver’s license, student ID, ATM card, employee ID or any other of the physical identity documents that people carry. The card is scrutinized and the recipient makes a trust decision whether or not to allow access to the requested good or service.

Today, we don’t have a similarly robust or interoperable identity verification system online. Instead, we rely on a patchwork of user names, passwords and other easily compromised pass-phrases to “prove” who we are online. Unfortunately, compromised usernames and passwords can typically be entered online by anyone, from anywhere on the Web, and don’t have anywhere near the fidelity of physical identity documents.

For online transactions that require a high level of information assurance and protection, we need a more secure and verifiable model — one where the level of trust and assurance much more closely resembles identity in the physical world.

Technology can help us develop a system of electronic identities that extends to the Web the type of trusted identity verification enabled by ordinary plastic ID cards. As we move down this path we’ll encounter a variety of challenges. One of the most critical ones will be building these new systems in such a way that they support data protection and privacy principles. 

At Microsoft, we’re investing in technologies to address these challenges. We recently released a cryptographic-based technology called U-Prove under the Open Specification Promise. The U-Prove technology can enable people to prove their identity by disclosing only the minimum amount of information necessary to complete a transaction, and does so in such a way that one use of an ID is not linkable to any other use of that ID.  In the physical world, this would be similar to showing someone your university ID to get a student discount — but without disclosing any piece of information but the fact that you were a verified student. All other information on your student ID– school name, graduation year, student ID number and other similar fields– need not be disclosed.  You can learn more about U-Prove, here.