Windows CardSpace with Stuart Kwan

Media Thumbnail
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, Windows CardSpace with Stuart Kwan. The summary for this episode is: <p>On the second episode of the 4th season of Identity Unlocked, host Vittorio Bertocci, Principal Architect at Auth0, is joined by Stuart Kwan, Partner Product Manager in the Azure Active Directory team. He joins the show to discuss Windows CardSpace,&nbsp;how it ignited the user centric identity revolution and how it influenced so much of what we do today, despite failing to be adopted. Like this episode? Be sure to leave a five-star review and share Identity, Unlocked with your community! You can connect with Vittorio on Twitter at @vibronet, Stuart at @stuartkwan, and Auth0 at @auth0.</p>

Vittorio: Buongiorno everybody and welcome. This is Identity Unlocked and I'm your host, Vittorio Bertocci. Identity Unlocked is the podcast that discusses identity specifications and trends from a developer perspective. Identity Unlocked is powered by Auth0 in partnership with the OpenID Foundation and IDPro. In this episode, we're going to go back in time and revisit a historical artifact, the information card, and its most famous implementation, Windows Cardspace. Information cards were the first manifestation of a user- centric identity movement and although they are extinct today, they had an incredible influence today's identity protocols and features. And to do that, I have secured a very, very special guest. Stuart Kwan, partner group program manager at Microsoft, who lived through information card era from a special seat at the helm of the Windows Cardspace feature team. Welcome Stuart.

Stuart: Thank you for having me. It's good to see you.

Vittorio: Thanks for joining us. As it's tradition for Identity Unlocked, I'm going to ask you if you'd like to share the story of how you ended up working in identity and eventually in your current position. But knowing you, I suspect this might take half of the episode, so let's see what happens. So would you like to share your identity origin story with us?

Stuart: Sure. Origin story. Yes, we'll confine it maybe to the beginning. Like many other people, I did not set out to work on identity. I came about it happenstance. So I grew up in Canada, I'm originally from Ottawa Canada. I went to the University of Waterloo, which has a relatively famed computer science and engineering program and I took computer engineering, and this was back in the early mid nineties. And one of the hallmarks of the program that they had, there was, it was a cooperative education program. So when you did your degree, you went to school for four months and then you would work for four months and you'd go to school for four months. It takes a little bit longer than usual to get a bachelor's degree but you have this work experience when you're done. And it's work experience with employers like you'd expect, especially in high tech back then there were a lot of high tech employers that were merging, and Microsoft was one of them. So I applied to do an internship at Microsoft. I was offered the internship. I came out here in the fall of 1993 and I worked on a project that was code named utopia. I didn't know what it was, they couldn't tell me what it was before I got here. They said it was about a next generation user interface. And those of you who really know your computer archana will know that Utopia became Microsoft Bob. So I worked on Microsoft Bob for four months as part of my internship. It was a fascinating experience, worked with some really interesting people. At the end of my internship, I still had more internships to come. I wasn't near done my degree yet and my recruiter asked," would you like to come back and do a second internship?" And I said," sure. Yeah, I'd like to do that, but I'd like to do something a little deeper in the system, a little lower level." And she said" systems. Maybe the systems group. Would you like to work in the systems group?" And I said," sure, I'll do that." And that's how I landed up in a team that was working on what became active directory. Back then it was known as the Windows NT directory service and we were working on Windows NT50, which became Windows 2000. And that's how I became involved in directory services and then identity. I guess the progression, back then it was about enterprise directories and enterprises and it has gradually morphed over time to include more and more things. And strangely enough, in all the time that I've been at Microsoft, I've worked on this topic that we now call identity, back then we called it distributed system security or enterprise directory. And I've worked in this area the whole time. I have not found the bottom of it yet. It's vast and there's so many different parts of it and I've had the pleasure to work on so many different parts of it. But yeah, that's my origin story for identity.

Vittorio: Wonderful. And from there, how did you end up in your current position and what do you do today?

Stuart: So I've been what's called a program manager at Microsoft the whole time. We've actually been retitled now, we're product managers, so that we're more recognizable of what everybody else does in industry. So I've been working on the design and experience and the roadmap and the feature set and functionality of products that first was in Windows server... My first full- time job at Microsoft was to work on the domain name system server, the DNS server, for Windows NT that shipped in Windows 2000. And that was an essential part of the pieces that accompanied active directory. That can be some exposure to standards. I did some IETF work. I have a couple of RFC's with my name on them for secure domain name system update, there's a couple things that we needed to do there. After that, I started working on more parts of active directory, the LDAP implementation and active directory. We shipped active directory in Windows 2000 in the year 2000. After that I started working on more and more parts, but I was moving up in management as well, I became a pointy haired boss that was working with a team of program managers. And along the way, let me see, the different things I worked on included active directory federation services, Windows identity foundation, the active directory authentication library and the Microsoft authentication library, ADAL and MSAL. The Microsoft identity integration server, which was the meta directory product that evolved from the company that, when we acquired Kim Cameron's company, ZoomIt, it became MIIS and had had many different names since then. So let's see, what else? Oh, and then as we started going to the cloud, I worked on the access control service, which was a predecessor to what I work on now, which is Azure active directory, the identity system for Microsoft's cloud. And let's see, so what do I do? Right now, what I do in my role as a group product manager is mainly actually around access control or authorization and deciding who's allowed to access what after you signed up.

Vittorio: Very interesting and amazing trajectory. Not everyone knows that we did some of that trajectory together, as in, you have been my direct boss for five years, six years, something like that.

Stuart: It was a good stretch. It was a good, fun stretch. I have vivid memories of the moment when we had that conversation, it was like, maybe we should do this.

Vittorio: Yeah. It was a very interesting ride, but fantastic. Basically you are this monument that saw all the eras and all the civilizations grow and die and all those cycles, you have seen them. So you are absolutely perfect for the thing that we want to do today. And so here, I want to give a fair warning to the audience. I devoted few years of my professional life to the project that we are going to talk about. And so this time, although I'll try to contain myself, but I already know I'm not going to be a fully impartial host. I already know that I will occasionally have to chime in and give my take, but I'll try to do it as little as possible. But fair warning. Okay, perfect. Fantastic. So let's get into it. And let's set the stage. The year is 2006 and Microsoft has just announced Hailstorm and they got a huge backlash from it. So what was Hailstorm? What was going on? What happened? How did we end up with this thing that we call Cardspace?

Stuart: So my memory of some of this stuff is not super precise, but no matter what, if I'm not correct, I will definitely be entertaining.

Vittorio: That's perfect.

Stuart: Hailstorm. I think we announced Hailstorm earlier, it was around 2001, and we stopped that project, I think in 2002, even so 20 years ago. But we were on a mission to help people create services that you could easily interconnect interoperably between any kind of system web services, really. It was a web services era. And we were trying to go beyond simple, file and print sharing that we'd done with Windows for many, many years and we were trying to do that over the internet as well. So Hailstorm was a way Microsoft was going to create web services on the internet. You could almost think of it as a pre a predecessor to cloud services. And for any of these things to work, like in any connected system, but especially in a connected system which is now accessible by anyone over the internet, instead of an enterprise directory service which is inside a company's network or an organization's network, now it's anybody on the internet. Then we knew we had to address identity. We had to know who you were when you were signing in, we needed to solve that problem. It's going to be an essential problem to be solved. Now about around the same time, there were other things popping up on the internet. The internet was becoming more and more popularity, although 2005, this is right around when... I can't even remember. When did Facebook become a thing? When did Google become a thing? They just-

Vittorio: Much later. They were founded in 2007, I think. So this was predating even the idea of those centralized big services.

Stuart: Some of these big services. Yeah, it was even before that. But even then in that era, in the mid first decade of the 2000s, phishing and identity theft was becoming a problem. So we knew we wanted to do something. Hailstorm and this idea that you could have this one identity, this one sign in that you could use anywhere on the internet and that Microsoft would run it, the industry was not fond of that idea. So we pivoted pretty hard to, well let's actually put identity in the hands of individual users, under their control, so that they could decide what information they wanted to disclose and they could do so in a simple manner and they could do so without having to use passwords, because there's a broad recognition that passwords were becoming a growing problem with respect to phishing and it's just not a great idea. It's not a great idea to have a human be a random number generator and remember those random numbers. So as password, really, really good secrets. So we had this idea. Let's put it in the hands of end users, and guess what? We have Windows and we could put this capability into Windows and that would put it in the hands of lots of people and they would be able to use it on the internet when they were logging into websites and when they were accessing web services. So what eventually became called Windows Cardspace and what originated as this idea of information cards, a way to represent your identity and the different facets of your identity, and then use it from say, a PC. Yeah, what we set out to do right around in the middle of 2005, 2006, 2007. That's about when it started.

Vittorio: Yeah. It was something like that. Yeah, I remember back in the day there was this thing of, all the consumers that were using username and password and as you said earlier, the big services weren't there yet. There was no yet the need of having one website that calls the API of other website. It was purely, how do I sign into those websites? And from the business perspective, there was stuff like SAML and similar. So people working in the business had a way of doing this famous single sign on. But like the man on the street, it didn't. And so this thing was revolutionary, the idea of giving to end users the power to do that, and without being tied to administrators that would decide on their destiny. Which I guess is like, how would you define this idea of user- centric principles? What was the novelty to that?

Stuart: So yeah, this information card system had this idea of self issued cards, cards that you managed yourself and they were your own and they were on your PC and the keys were on your PC and no one else had any control over them. And then managed cards, which were identities that came with an association that you had with other organizations, the government organizations, businesses, employers, et cetera. But really foundational to this was the idea of the self issue card, that you had an identity, it wasn't a password. It had attributes associated. In fact, you could have many of these things. There was an idea of a wallet of sorts, that had the cards in it and you could have many of these cards and you could present the one you wanted to present in a moment, to represent the particular facet of your identity that you wanted to project. And it was all anchored, architecturally and philosophically, in this laws of identity that Kim Cameron blogged about right around 2005 or so. I don't think I could remember. Do you have them memorized? Do you have the laws of identities memorized, Vittorio?

Vittorio: I don't have them memorized, but I brought up from the depth of my bookshelf, my copy of a book that we wrote about Cardspace back in the day. And here I have a list of laws of identity, which I don't think that we should go through all of them, but just to hint of what they meant. I have to say, I don't want to use political terms because in today's climate, I don't want to be canceled or crucified, but they were very much, again, revolutionary, on the side of the user rather than on the side of the businesses. So the first one was user control and consent. I guess we can comment on this one.

Stuart: Yeah. An entity other than yourself shouldn't control your identity, it should be something that belongs to you. And when we talk about, where did Cardspace struggle or where did the idea of behind an information card struggle, the identity has to exist somewhere and people use multiple PCs. PCs die, they have problems. Or you want to get a new one. How do you move your identity around between these devices, was one of the issues. So if you're going to be under control of your identity and it's not going to exist anywhere else except on things under your physical control, then how are you going to carry it around? And you have to remember, this is before the iPhone. There were smartphones back then of various kinds, but this is before the broad popularity of the smartphone.

Vittorio: Oh yeah, absolutely. And isn't it funny that it is literally all these days, the fact that the FIDO organization announced the multi device credentials 15 years later. And today we are hailing it as a big revolution, which it is, as in, it is solving a problem we haven't solved yet. But here I fear that some of our listeners might might be a bit lost. So let me take a step back and summarize basically what this Cardspace was. So this was a client that was coming pre- installed in Windows and earlier you said the magic word, wallet. It was a client with a collection of cards. Each card was an affordance representing one identity, which could be what you decide, as in the self issued card, you just basically pre- fill a form with some of the things that you want to say about yourself. Whereas other cards, where instead of referring to the identity with some provider, which we didn't say the magic word, identity provider yet. Some provider like your bank or your government, might assert about you, saying okay, this card contain all the things I can say about you when someone asks me who you are. And then the idea was that we had these complex set of protocols. And so a user could pop out a browser, land on a webpage, try to sign in, there was a button and when they clicked this button, this button will invoke the wallet. The user would see the wallet, would see the list of cards filtered by the things that the website needed so that you could see only the one that you could click. And the user could click on one card and know, the famous being in control, what kind of information would be shared, from whom to whom? So basically that was what's happening. What did I forget?

Stuart: You remembered more than I did. Yes, it was as simple as that. There was some markup on the page which indicated what things the site wanted to know about you and clicking that invoked a client and gave you the filtered experience. You picked a card or you canceled and said no, I don't want to do this, and off you went. The first cardspace experience, most people have never seen this before. As you were mentioning earlier, the product is now extinct. It's removed. It's not in Windows anymore. But the first variant of it, we were so concerned about the security of this experience that we actually launched the card selector on a different desktop, on the secure desktop. So when you go to your Windows PC and you hit control alt delete and it brings up where you can log off or you can change your password, that's the secure desktop. It's actually a special desktop in Windows that can't be reached by processes that are running on your normal desktop. And that's deliberate so that they can't do things on that very sensitive page. Or before you sign in, the sign in screen that you see in Windows where you enter your password is on the secure desktop away from other software that's running on your PC so it can't do things like watch what characters you're typing in the password screen. So we actually invoked the original cardspace selector on the secure desktop, which meant there was a big visual transition that happened, a pretty jarring visual transition, which turned out to be a problem really, in the end. And then you would make your choice and you'd go away. It was a very industrial experience back then. It was pretty heavy duty.

Vittorio: Yeah, I remember. And the thing is, I think that these are really hints to the discussion we'll have later about what happened, why this thing is the subject of a podcast but not something that people use every day. And this also ties us back to our list of laws of identity. I remember back in the day that this thing in whichever thing would go black and you'd see only the list of cards, was touted as one of the ways of implementing the first law, the user control and consent. This was a way of focusing the attention of a user only to what was happening in there so that you wouldn't have anything else on the screen that could look like the wallet, pretend to be the wallet. So it was an attempt to give more control to the user. As it turns out, users aren't always eager to get control. And again, I like that we are talking about this because I know that a lot of young blood is trying to do something similar in this space. But human nature, in my opinion, remains the same as 500,000 years ago in term of Gestalt and similar. So I hope that some of the things that we'll say will be useful to them. Great. So the second law was minimal disclosure for a constrained use.

Stuart: Very straightforward. You should only transmit the information about you that is actually needed by the site to fulfill the thing you want to do as the user, and not extra information, which then might be stored and stolen and really doesn't pertain to the thing that you're trying to accomplish. So again, the idea behind these laws was, if you built systems that were in conformance with the laws, then people would tend to use them and they would tend to be successful. If you didn't follow them, then bad things might happen and you might lose users, right? So in this case, it was, if you're gathering information about people that is not central to the thing you're doing for them, then bad things might happen to you or those users, that was the second law. The whole idea behind the cards having a set of claims or properties associating with them and then you seeing okay, these are the ones I'm going to disclose and as I'm making my consent, I can say yeah, these really are the pieces of information that that site needs to know about me, then yes, I'll go ahead and click okay. The idea was to make that experience really transparent. It ties in well with the first law.

Vittorio: And it definitely is, from a security perspective, it's perfectly in line with the least privilege and from the first law is like yeah, another aspect of a user is in control. Again, I feel that back in the day, we might have been a bit naive in thinking that this might drive users to adopt or not adopt. Because today with the emergence of various trackers.... And it's surreal. It's so relevant to today because one of the things I do in my day job is to deal with the browser vendors that are adding constraints to the way in which browsers work so that they can prevent trackers to do exactly the thing Cardspace was designed to prevent at the very beginning, which was here there is what is going to be shared as opposed to today's tracker that try to gather as much info about you because will come in useful for something else, like giving you an ad rather than doing the thing that you were trying to do today. And in my impression, this thing is naturally something that users use as a differentiator, but it does have a lot of implications in term of legal, in term of liability, in term of whether you have a toxic asset now, that you need to protect because you know too much. But anyway, this was again, very intuitive and made a lot of sense. Fantastic. Third one, it's another really interesting one, which is justifiable parties.

Stuart: Justifiable parties. Just the entities that have a reason to be in the interaction should be in the interaction, there should not be extra ones. The idea behind cardspace was, there were minimally three parties involved in a... Or possibly three parties involved in a given interaction. There was the person, the subject and then the place where they wanted to have some service done and then maybe an identity provider that you wanted to then again, transfer only the minimal amount of information from that identity provider to the relying party, techno speak for where this information was going. And only the people who need to be involved should be involved and that should all be transparent again. And the cards did make it transparent because you knew where you were going and the card was very clear about what was the organization that was speaking about you, in a nice visual way that people could relate to, and the information that was being disclosed as well.

Vittorio: Yeah. And the thing I'd like to add to this is that, the protocols on which the interaction was based on just didn't make it possible to anyone to be injected in the flow. Today we are used to browser redirects which bounce people around and as part of this, you can have third party cookies that send home little messages. You could have extra redirects in the middle that make a little stopover to a tracker domain. But instead with cardspace and information cards in general, here I think it's important to clarify. We are using information card and card space interchangeably but for the purists, like I can already... I just met Paul Trevithick, one of the historical persons, one month ago. I just ran into him and he is delightful. But anyway, he was one of the persons that would probably complain if we don't clarify this. There was information cards which were an abstract entity specification, a data format, let's say. Plus protocols for exchanging and issuing tokens modeled on top of it. And then there was Windows cardspace, which was, I'd say, the original and one of the most well known clients. It was capable of using information cards but in fact, the protocols were completely open and a plurality of clients emerged in different platforms as well.

Stuart: It's a very important point you bring up there about how in today's web- based federation protocols, that you can be bounced all over the universe and redirected all over the universe and if you're not watching the address bar closely, you don't really know where you are. With this fixed function interface, the card selector interface, there was no opportunity for the services that you were going to to paint different UI's for you. It was a fixed function interface and you knew exactly who the interacting parties were and there was no opportunity to try to fool you by redirecting you to funny places. And again, a lot of what we were trying to do here was help defend people against phishing and this was one way to do it.

Vittorio: Yeah. This was completely removing their rendering of experience from the control of third parties, which was like a ceremony that was established by the client. Yes, excellent point. And I think that there is a bit of a resurgence of some of those things, like the Chrome team is looking at a thing called FedCM, in which we're trying not exactly to render the UI themselves, but at least to reserve one particular area of a browser chrome, which is just used for these kind of interactions. And in general, all the people that are doing wallets are thinking about similar things. So they are making a comeback. The thing is that, those guys are now suffering from similar challenges like the one we had back in the day. Back in the day, Windows was ubiquitous. So having something in Windows meant that you'd reach almost anyone online. But today, we have multiple platforms and unless the operating system offers something, which apart from Apple wallet or Google wallet, there is no wallet yet, you needed to place this thing in an app and the way in which we activate this app is very unclear. So the new generations have an interesting problem to solve for giving this ceremony that is a phishing resistant. We'll see what happens.

Stuart: Maybe we should cut to the chase and start talking about why this thing is extinct.

Vittorio: I agree. I think that the other principles are important principles, but I think that they are a bit more abstract. So yes, that's a very good point. Before we get in there, let's flesh out a bit more, the various other actors. We described the client, so cardspace itself, and you mentioned that there were two other roles, the thing that consumes the authentication and potentially the identity provider. Do you want to expand a bit on those roles?

Stuart: They're very similar to what you see today. For example, you can sign into a lot of websites with your Google account, with your Gmail account. Your Google account is the identity provider, the e- commerce site you're going to that is accepting the sign in is the relying party, it's the same federated set of parties that are familiar today in a variety of these different scenarios. No real difference there, it was just a difference in the experience of the life cycle of getting the identity and the life cycle of using it, even at runtime when you go to sign in. So those are very durable concepts that existed before information cards and cardspace and exist after.

Vittorio: And in fact, I think that we if we double click and we actually look at what happened on the wire, the analogy goes even further because basically cards were potential of the claims that you could obtain. But then once the user would choose to actually use those cards, what would happen was that behind the scenes the client would obtain a token, in particular, a SAML token, and this sound token would be sent to the relying party. And relying party, just like today, had a responsibility of getting this token, verifying that it was signed, that it was signed from the right place, all of that stuff.

Stuart: Yeah. It was the series of web service protocols known as WS- Star were the underpinnings. And much was learned in people building and trying to use those protocols that has then, we see echoes of it in these later generations like OpenID Connect.

Vittorio: Oh, absolutely. Now remember, without going too deep in rabbit hole, but one of the central protocols which we used apart from WS security, which was a thing for moving tokens around, was WS trust, which was this thing that modeled how a client can go to an issuer, which might be an identity provider, and ask for a token for then, access an API. And that thing still today, some people occasionally, instead of saying authorization server or OP, that stands for OpenID provider, they will occasionally have a slip of the tongue and say STS, which is a security token service, which was actually what was used in there. And in both OAuth and OpenID connect, there are a number of extensions of a protocol, like token exchange, which use exactly the same terminology that we were using in WS- Star. So that stuff might have, how to say, died. But from there, decomposing matter, staff thrived today. Sorry, the image is not the best but that's what just came to mind at the moment.

Stuart: It's a wonderful image of... It was composted. There are fossils and it was composted and you can find evidence of this in the future generations.

Vittorio: And so the thing that you described was the relying party. The identity provider had the counterpart of this, as in just like there were protocols for sending tokens for relying party, there were protocols that we used for asking for a token to the identity provider. So all part of this nice suite of really complicated, but very powerful protocols that we had back in the day. So I'm very curious to hear your take about why today we sign in with Google, GitHub, Twitter, Facebook, sign in with Apple and we use a browser instead of having a nice wallet, and having something which is sticking with those laws, as opposed to those other things which, despite the best intention of the implementers, they are vulnerable to the various abuses that instead the laws of identity try to prevent.

Stuart: It's super interesting by the way, I have a variety of hypothesis about why we ended up the way we did. But before I go there, you were saying you can sign in with Facebook, you can sign in with Twitter, you can sign in with Google. I teach a class sometimes at Microsoft, for new people joining the identity division, it's a bootcamp class and I teach some of the concepts of federation. Some people may have seen the videos that I've got on YouTube that do some basics of modern authentication. But I teach this class and there's a bit I like to do, which I might have invented because of you or someone else, it just goes back. But I tell people, everything I needed to learn about home realm discovery, which is the act of how a relying party tells you where you can go, which identity providers it accepts. Everything I needed to learn about home realm discovery I learned from Lady Gaga. And I would go to Lady Gaga's website and you could sign in there and she offered a variety of different ways of signing in. Now, if you go to Lady Gaga's website right now, you will find that she doesn't offer you any ways of signing. In fact, if you want to sign into Lady Gaga's website you need to have your own name and password at her website because Lady Gaga operates an identity provider now. And much to my frustration, it doesn't matter where you go, you can go to Justin Bieber's site, you can go to any celebrity or singer's website and you will not find any federated sign- ins anymore. So the pendulum has been vigorously swinging. Anyway, card space and information cards. Why were they not successful? Well, one thing was at the time we did it, the problem was not bad enough. The way that we were looking at the problem was. We want to help people sign into these websites and do it safely and we want to help defend against phishing. Phishing was a problem. Phishing is still a problem today. People are better educated about it now, so it's not quite... But it's still effective. Phishing still causes a lot of breaches. But for most commercial sites, it was easier to make people whole after fraud than it was to cause any kind of disruption in their conversion path. So if I'm coming to do an e- commerce transaction with you, I really don't want to have anything in the path that is as jarring as a change to the secure desktop in Windows and see a completely different looking interface than my website. That was a big threat to my ability to get you to continue through and actually complete your transaction. And it was bad enough that it was like, I'm not even going to bother doing that. If people get defrauded, I will make them whole. I'll do the right thing as a business to make them whole. And I can accept that cost and it's going to be a better option for me. So on one hand, the problem, wasn't bad enough at the time to warrant something like this. Now building on that, the experience was not as good as it could have been either. And this is when we went to build the second version of cardspace, it was like okay, we're not going to have the secure desktop, we're going to try to make this as lightweight and as small an experience on the desktop as possible so that it is not taking away from the experience of the site that you're going to. But even then, it was still a moment where someone could have abandoned their path. And most websites were, then and now of course, making all kinds of experiments to try to see, if I change the color of this button or if I move it slightly to the left or slightly to the right, how much does that change my conversion percentages? Doing all kinds of AB experimentation. The idea of having this disruptive experience that's coming up was not one that many were willing to even look at, no matter how small it might have been. So that was another reason.

Vittorio: You are absolutely right. And funnily enough, today we have, at least in principle, similar things. Like when you are on a mobile app and you try to sign in and the app does the right thing from a OAuth, OpenID perspective, and pops out a system browser. I personally work with lots of customers that are still not on board with that. Even if they have complete control over every pixel that will show on the screen, the fact that the app swaps to a different app, which is the browser, isn't great. And the only case where I see people are somewhat begrudgingly accepting it is in the business context, when people get flipped to an authenticator. Like you're doing something and then you need to do step up or second factor, and you might end up in authenticator, which gets invoked automatically, and then come back. But today, as I think you correctly positioned, the problem of fraud is way more widespread. Way more people are online, way more people access stuff from personal devices, as opposed to only from a computer from work. And people are way more competent and so they are more likely to succeed for doing this. But I would like to add to what you said, that the other side, which is the users. This is a bit like people planning for the health of a nation and saying well, we'd be best if we'd have less saturated fats. And so you tell people don't eat saturated fat, but people ultimately will do whatever they want. And so you can place labels on things saying beware, this stuff is 2000 calories for one cube centimeter things, but ultimately people do whatever. And so with the card space, we gave them the broccoli, which is really good for them, but back in the day people didn't even hear in the media that they needed this. There was this big scare of Hailstorm owning your identity and no one knew what that meant. And then they just jumped in the pool for Google, for Facebook and all the other identity providers. And honestly, although today there is just... I just gave a keynote two weeks ago in Berlin exactly about, people like the man in the street often doesn't care about privacy. I don't know how much has changed since then. If I think of the people in my life that are not the technical people, they are vaguely aware that privacy is a problem, that they are being tracked and similar, but as soon as they needed to do some effort, something that goes beyond saying "do not track" in a little dialog that pops out, if they actually need to do extra work, pretty much all of them will choose the path of least resistance. So what's your impression of that?

Stuart: I think you're absolutely right. I think most people think if it was really that bad, someone would do something about it and it would be front and center in everyone's consciousness. They would do something about it. So it must be okay, nothing really bad is happening. And let's face it, even though the audience of this podcast is probably a lot of people who are really, really well versed on identity, I bet, and I'm talking to you out there, you all have passwords that you use on more than one website. You absolutely do. And now you're thinking... Okay, some of you are thinking no, I've got different classes of passwords. I definitely have a different one for my bank account than anything else, but I have this other password I use because... And then there's another class of people who are listening to this podcast who are saying dude, I use a password manager, they're all random passwords, blah, blah, blah. But nevertheless, you are in the minority. Those folks are in the minority. Most of us, there's a password that we use at a lot of different websites and nothing really terrible happens to most people. So yeah, I agree with you, people will... Was it Kim Cameron who used to say, people are lazy. They're going to find the path at least resistance. And he wasn't saying that in a derogatory fashion. It's...

Vittorio: Human nature.

Stuart: Yeah, they're going to exert the least amount of energy to get the job done because that's efficient. So yeah, definitely, that was another reason. There was another reason that did come to mind. Oh yes. Actually it comes back to this idea of password managers, but there was this notion we had of the self issued card. It was a card that belonged to you, it was a set of keys on your machine that were asymmetric keys. So there's no password involved here, you're using strong cryptography. But what happens if your computer dies? How do you start over? All these websites that you go to that you have to start over with, how do you do that and how do you rebind yourself to those sites? And then smartphones were emerging. How can I use the same identity from many different devices? And how do I bootstrap that as if I... Heaven forbid I drop my phone over the side of the ferry on the way home and it's in the ocean, what do I do? How do I get back? And I think these problems still exist today. If we don't want to use storage in people's brains that we use with passwords and we don't want these keys to be escrowed somewhere in the cloud as well where they could still get stolen, then how do we solve this problem? And I think that's a problem that still exists today and I think that was a problem for cardspace. How do you bootstrap and how do you recover when you lose cards? We didn't have great solutions to that.

Vittorio: It is still a problem today. I think that the latest attempt is what we said earlier, the multi device, passkeys. Which by the way, the episode right before the one that we're recording right now, was exactly on that topic with Andrew Shikiar and Tim Cappalli. And I think that that is the best attempt I've seen to date to solve this problem. It still has its own things because now you'll have Google, Apple and Microsoft, that will be the repositories of this. And one might say sure, Apple is very interested in keeping iCloud as secure as possible. But still, now you have everything in iCloud. Also, if you decided that you no longer like the iPhone and you want to go to Android, there is no clear path. But anyway, for today's topic, that was definitely one of the things that made cardspace adoption problematic.

Stuart: I think that about covers all the thoughts that I had about, what did I learn as a product manager as I went through this exercise. The friction with the user and what they're trying to do is king, you have to not get in the way of that. You have to have ways of these bootstraps and recoveries because these things happen. Life happens, it's messy, you have to be able to accommodate it. Now, will this ever be a success? I can't remember where I heard this before, if this quote should be attributed to someone luminary or something like that. But I think it was a venture capitalist and their quote was, it's as bad to be early as it is to be wrong. So was cardspace early or was cardspace wrong? I actually believe that passwords can't be the answer for the long future, that there has to be a better way for us to do identity, there has to be a better way for us to manage these kinds of authentication relationships and stuff. So I'm absolutely convinced that we will solve these problems and we'll find practical ways to solve these problems. And I actually share your optimism around passkeys and a passwordless future. We'll definitely get there and we learn a little bit along the way as we go. Because passwords can't be the end. It can't be the end of the story.

Vittorio: I absolutely agree. But the thing that I would add, which is unfortunately a bit more nuanced, is that I'm assuming that we will solve the mechanics of proving yeah, it's me, the same guy from yesterday, with all the various tactics that we mentioned earlier. I think that the more are nuanced aspect that cardspace offered, which again, is coming back up with things like verifiable credentials and some of the decentralized thoughts, is that this idea of the user having more control over how and when and to whom they present attributes describing themselves, is something that we will need to solve. The thing that I believe was missing in cardspace and that is missing right now in my interactions I have with the people that work in this space, again, is a bit of nuance. Let's say that, I think that there are scenarios that today we aren't good at addressing. Like if I want to be able to present my identity to a certain relying party without the source or the attributes that I want to show, knowing that I'm doing it, there is no easy way of doing it. And I think that there are scenarios where this would be a useful capability. Or the things about minimal disclosure, the ability of saying well, I have this thing which contains 10 attributes but I only need to disclose two, that is also something that is useful. But to me, this stuff is incremental. As in, there are scenarios that we can't do today or that today we wing it with traditional technology, that would be better done with this. But a lot of scenarios that today people are doing business on just make sense and will keep making sense even when they don't offer perfect privacy, because people and relying parties showed that for those things, they don't care. So to me, the mistake which I'm afraid people will do again, is to be intransigent and try to make this new experience the only experience that people can do for doing identity. If they do it, I suspect that they'll have a similar experience to the one that we had back in 2006, 2007, 2008. But I don't know, might just be old man shake fist at the cloud. What do you think?

Stuart: Maybe you should have a follow- on episode about U-prove. But you go for those of you listening, go Google that one and maybe you can ask inaudible to interview some people about that. But that's a very interesting point. It's a very interesting point. Even the laws of identities suggest a plurality of providers. They actually don't suggest a plurality of experiences, and whether or not the laws are enduring or if we should reflect as we try to apply them in the future, I don't know. But all I know is that we will solve the problem and it will be very important. When we solve this problem and when it reaches a critical mass of users, it will change many of the dynamics on the internet and it'll change things, I predict, in unexpected ways. Like the introduction of a jet engine instead of propellers, we're going to get a whole different set of things happening and a whole different set of opportunities when we get there.

Vittorio: Oh yeah. And if you think of things like the mobile driving license that is being modeled on top of verifiable credentials, and you think of all the circumstances in which we use that thing in the plastic version and what will happen when we have a digital one. And the thing that people also underplay the risks that are behind this. Because today doing strong identity proofing is hard and it's expensive and so it happens only when you really must do this. If you need to renew your global entry application or if you need a loan, then you'll have to pull out the documentation. But in your day to day, when do you say darn, if I could use my driving license with this website. It happens relatively rarely. But the moment in which you have a digital version and you can use it all the time, then you might see people that don't need to actually have that level of verification push to obtain that level of verification, which might result, paradoxically, in a worse privacy than what we have today. Because again, today we can go all through the internet and very rarely have a strong proof of real name identity. So again, we see what happens. I agree with you, that jet engine instead of propellers is going to be interesting to see play out.

Stuart: Once you make something easy enough, the dynamics can change in really strange ways. I totally agree with you. It will be interesting to see.

Vittorio: Wonderful. Well, I kept you for more than 50 minutes so I don't want to abuse of your patience too much and I'm very grateful that you were willing to spend this time with me reminiscing. Normally at this point, I'd ask you for a call for action, but this thing, as we put it nicely earlier, has been composted so there isn't a lot of action we can do. But nonetheless, are there any parting thoughts that you can use to close this nice chat we had?

Stuart: Kim Cameron, who you and I both knew well, used to say anybody who works in identity is a friend of mine. While there's no particular call to action with respect to information cards and cardspace, I want to continue the spirit of, identity is everybody's problem, we all get to work together on it and we gain a lot by working together on it. So I'm looking forward to continuing to work in identity and make many friends in this space so that we can all... We can all make the internet safer. Kim used to say, what was it? Making the internet safe for colonization.

Vittorio: Fantastic. I cannot think of a better message for closing the episode. So thanks Stuart for your time today.

Stuart: Thank you for having me. It was wonderful.

Vittorio: And thanks everyone for tuning. Until next time. Thanks everyone for listening. Subscribe it to our podcast on your favorite app or at identityunlocked. com. Until next time, I'm Vittorio Bertocci and this is Identity Unlocked. Music for this podcast is composed and performed by Marcelo Wolovski. Identity Unlocked is powered by OfZero in partnership with the OpenID Foundation and IDPro.


On the second episode of the 4th season of Identity Unlocked, host Vittorio Bertocci, Principal Architect at Auth0, is joined by Stuart Kwan, Partner Product Manager in the Azure Active Directory team. He joins the show to discuss Windows CardSpace, how it ignited the user centric identity revolution and how it influenced so much of what we do today, despite failing to be adopted. Like this episode? Be sure to leave a five-star review and share Identity, Unlocked with your community! You can connect with Vittorio on Twitter at @vibronet, Stuart at @stuartkwan, and Auth0 at @auth0.

Today's Host

Guest Thumbnail

Vittorio Bertocci

|Principal Architect, Auth0

Today's Guests

Guest Thumbnail

Stuart Kwan

|Partner Product Manager, Identity and Network Access Division, Microsoft