Gates: Passwords Aren't Enough

At the 2006 RSA Conference, Microsoft Chairman and Chief Software Architect Bill Gates said the software giant wants to encourage the creation of an open and interoperable architecture for protecting users&' identities, an architecture informally dubbed the identity metasystem.

Also during the conference, the Organization for the Advancement of Structured Information Standards (OASIS) said its members, including Microsoft and IBM, have approved WS-Security version 1.1 as an OASIS standard. The “trust ecosystem” will be based on WS* standards and other key security standards such as IPSec, but vendors will still have the opportunity to make money.

Microsoft has tossed its hat into the ring by offering its forthcoming Internet Explorer 7 with InfoCard support and Certificate Lifecycle Manager (CLM).

Microsoft CLM, developed from existing code acquired with Alacris last year, will simplify the process for issuing digital certificates and provisioning smart cards, Gates said. At RSA, Microsoft announced Active Directory will support InfoCard technology and identity metasystem protocols in the near future.

The pieces are falling into place. Active Directory passes certificates to the CLM, which then takes those certificates and provisions them on the InfoCard.

“We have a Certificate Lifecycle Manager, so if somebody comes in that doesn&'t have their smart card, they can get that renewed very easily. Having the revocation and issuance work as easily as passwords do today is a critical element here,” Gates said before thousands at the RSA event last week. “I don&'t pretend we&'re going to move away from passwords overnight. But over, say, a three- or four-year period for corporate systems, this change should take place and can take place.”

Partners said Microsoft&'s identity management and authentication technologies will offer them new services opportunities.

“Microsoft continues to work toward standards around security and certificate management,” said Ken Winell, CTO at Vis.align, a solution provider in King of Prussia, Pa. “By making their products more standard-oriented, our clients and customers can choose to integrate Microsoft technology or perhaps may use a third-party authentication due to heterogeneous environments.”

Microsoft, Redmond, Wash., recently introduced Active Directory Federation Services in Windows Server 2003 Release 2. With the next Windows Server in 2007, the company said it plans to offer Active Directory Rights Management Services, Certificate Services, Metadirectory Services and Federation Services deployed from a single setup. Full integration is planned beyond the Longhorn server.