SAN JOSE, Calif. -- Microsoft Chairman and Chief Software Architect Bill Gates used his RSA Security conference keynote Tuesday to outline a future where passwords have gone the way of the dinosaur, multi-factor authentication is the norm and cyberspace functions within a "trust ecosystem."
Gates said trust ecosystems exist in the physical world, where those who break the trust can suffer a damaged reputation or be convicted of a crime. He said the concept must be extended to the Internet through more trustworthy code and devices, and outlined steps the software giant is taking to get there.
"Passwords are the weak link," Gates told his audience. "We need to move in the direction of smart cards, and multi-factor authentication must be built into the system itself. We need the ability to track what goes on and have a built-in recovery system."
While the vision sounded good on paper, some attendees were skeptical.
Microsoft has acknowledged the need to move beyond passwords before, said Ken Russ, a security infrastructure specialist. But the company's last attempt at authentication technology, the Passport single sign-on service, was unsuccessful.
"They had to abandon their previous attempt, and establishing trust between multiple companies is a difficult task," Russ said. "I don't know if any one company--including Microsoft--is up to the task."
That skepticism aside, Gates sounded like a man determined to toss passwords onto the trash heap of history and usher in an era where cyberspace is built around the trust ecosystem.
Microsoft is working with industry to build up an Identity Metasystem--a way in which users and Web sites can more safely and privately trade personal identity information online, Gates said. To that end, the company will roll out "InfoCard," the working name for a new feature that "simplifies and improves the safety of accessing resources and sharing personal information on the Internet. His keynote included a demonstration of InfoCard.
Gates said InfoCard will be delivered as part of WinFX, Microsoft's managed code programming model, and will support Internet Explorer 7 on Windows Vista, due out later this year, as well as Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 and R2.
Microsoft will also use the future release of Windows Server--code-named Longhorn--to pack more ID management punch into Active Directory, Gates said. That extra punch will include services for rights management, certificates, Meta directory and federation ID.
Gates also unveiled the first beta of the Microsoft Certificate Lifecycle Manager, which the Microsoft Web site describes as a "policy- and workflow-driven solution that streamlines the provisioning, configuration and management of digital certificates and smart cards, and increases security through strong, multifactor authentication technology."
He said the goal is to move beyond passwords in three to four years.
While these activities are all part of developing a trust ecosystem, Gates said the tech industry must also focus on three other goals to achieve a more secure future:
The first goal is better security engineering. This means training engineers to think about security from the very beginning, during the code-writing process. Gates said industry partners should follow Microsoft's lead and share their best practices for developing more secure code. As an example, he cited Microsoft's implementation of the Security Development Lifecycle (SDL), which has been made publicly available for developers, including its code-scanning tools such as PREfast and FxCop in Visual Studio 2005.
Gates' second goal is simplifying security so it is transparent to users, easier for IT professionals to implement and simpler for developers to write their code around. Microsoft's efforts in this area include the Windows Security Center in Windows XP SP2 and Windows Vista. Security Center is designed so the status of security measures is easily visible for consumers. Another example Gates addressed was Windows OneCare Live, developed to improve overall PC health instead of focusing on merely one need, according to the Microsoft Web site.
The third goal is building a "fundamentally secure platform" that "maintains the confidentiality and integrity of information and resources, regardless of whether information is being stored or transported across devices, services or networks," Gates said. He then used Windows Vista as an example.
Vista will include a feature called Windows Service Hardening, which restricts critical Windows services from doing potentially malicious activities in the file system, registry, network or other resources that could be used to allow malware to install itself or attack other computers, Microsoft notes on its Web site. Another key feature is a built-in anti-malware tool called Windows Defender. Gates said the free beta download for Defender is now available for customers using Windows XP, 2000 and Server 2003.