InfoCard and Device Theft
The other day Andrew Stopford blogged about InfoCard, asking what happens if your PC is stolen. Does the thief get access to your "cards", and therefore any web site that you use them to log into?
I'm about 20 minutes into this video on Channel9, which explains the architecture of InfoCard, and in it Charles asked the same question. The answer, however, hasn't satisfied me.
The resopnse that architect Arun Nanda gave was that the cards themselves don't store information - only a list of "claims" that the card provider can make on your behalf. When you submit the card to a site, you still need to authenticate with the card provider to prove that you are who you say you are.
So how do I prove my identity to the card provider? Another InfoCard? That way lies infinite loops. A username and password? How is that different from having to enter a username and password to the original site?
Anyone out there close enough to InfoCard to give a solid explanation of why it's still secure if your PC is stolen?
Comments
# Vishwas Lele
27/10/2006 12:04 PM
Did you find a solid explanation for the question you raise in your blog post. Thanks!
# mabster
27/10/2006 12:18 PM
Hi Vishwas.
Never got an official response, but here's how I understand it:
An InfoCard only carries claims - it contains no "real" data (no credit card numbers etc).
If you have an InfoCard that was issued to you from your bank, and you submit that card to, say, amazon.com, then amazon can use the claims in that card to contact your bank and charge for goods. HOWEVER, the bank won't let them do that without verification from you that you are who you say you are. In other words, you'd still need to enter a password of some kind so that everyone knows that you're you.
So yeah - for secure information, it sounds like passwords will still be necessary. That, then, means that device theft isn't such an issue.