Information Cards introduce a new paradigm in on-line authentication that replaces conventional Username and Password login. The new paradigm is based on the very familiar 'real world' experience of presenting credentials. When I want to purchase something and I don't have cash; I present a credit card. When I want to rent a car I pull out my driver's license and when I want to borrow a book from the library I pull out my library card. Despite the number of cards I may have in my wallet; 3 credit, 1 debit, healthcare, dental care, library, 3 museum memberships, 2 frequent flyer, etc... It is very easy and intuitive for me to select the right card at the right time.
The mechanics of trust that 'real life' cards represent is also interesting. When I present my driver's license, the 'claims' on the card; age, address, etc... are packaged in such a way that the person looking at the card can establish 'trust'. They can compare the picture on the card to my face. They can compare the age represented on the card to their view of how old I am; they can compare the eye-color listed to my eyes. Finally, they can identify the state that issued the card. The trust mechanics dictate that:
The card does not appear to have been tampered with. The photo to face matching indicates that this card was issued to this person by the State of California. I trust the State of California I can therefore trust the claims on this card.
The interesting thing to note is that there is no need for trust to be established between the person presenting the card and the person accepting the card. The person accepting the card only has to trust the State that issued the card; even though the state isn't present, or in any way involved in the transaction. This is similar with credit card processing; a shop keeper doesn't trust you to give them money 'later' ("I'll gladly pay you Tuesday for a hamburger today"), but they do trust Visa, the issuer of the card.
Information Cards bring this paradigm and these mechanics to our online experience. When you login to a web site with Information Cards (I-Cards) you are asked to select an I-Card from your virtual wallet. The analogy isn't perfect so the wallet, otherwise known as; The Card Selector, has some smarts to make things easier.
The Card Selector, which is a piece of 'secure' software running on your machine, remembers places that you have logged in before. Each time you start to log into a site that you haven't logged into before, you get an informational dialog that tells you about the site you are logging into. This largely eliminates concerns about 'phishing' attacks, scams where a site pretends to be a site it's not to get your username and password. Even if a site manages to fool you into logging in with an I-Card ; they don't get something they can use somewhere else.
When you click on the 'login' link, the site you are trying to log into tells your computer what it wants to know about you. If you are trying to leave a blog comment that might just be a nickname, if you are trying to purchase beer it might be a claim that you are over 18 years of age. When the wallet opens, only those cards that are capable of satisfying the sites 'policy' (what the site wants to know) are selectable. This interaction means that the user doesn't have to go through and select from ALL their cards every time they login, the choice comes down to selecting from one or two for any given context; Visa or American Express?
If you want to play with Information Cards the best place to start would be http://www.azigo.com/icards.html this site is provided by Parity Inc.; THE leaders in implementing this technology. If you click through the Equifax Card sign-up process you will have the Card Selector installed and get your first i-Card, one that can 'prove' you are over 18 (if you are) without exposing any other information about you. The Minuteman Library Network is the first Library Card i-Card project and probably of special interest to the readers of this blog; I am working on this project and will keep you informed of its progress.