Received any suspiciously good offers recently? Most of us can spot the obvious frauds offering millions in unclaimed cash, but protecting your identity needs to be more than a test of how street smart you are. And getting identity right solves more problems than just online fraud.

Kim Cameron is Microsoft’s identity architect. He’s embarrassed to be called a ‘Microsoft official’. He won an award for knowing that technology has to work in the real world. And he can’t cope with a single extra password so he’s come up with a password-free system for proving your identity that will start showing up in Windows soon.

Phishing, as Cameron points out, has a 1,000 per cent compound annual growth rate any business would give its eye teeth for. It’s an easy market – most people will tell you their password for a Starbucks voucher or a free pen.

You can tell when you’re walking into a high street bank, but spotting the online equivalent of a dark alley is harder. The IE 7 anti-phishing toolbar can’t stop you installing something that sounds the same and turns out to come from the phishers themselves: Cameron calls it a sheep farm operated by wolves. Windows Vista is going to include a replacement for user names and passwords, called InfoCard, which uses web services to compare what you say about yourself with what sites want to know. You’ll be able to view your identities the way you can look at your files, and developers will be able to handle identity in software and services in a way that looks the same to you every time – so you know when you can trust it.

No one – users or websites – wants Microsoft peeking at the information going backwards and forwards. To make this more than just the next version of Passport, Cameron’s been designing an identity metasystem so you can exchange an InfoCard ID with a website that uses another kind of ID system. The Active Directory Federation Services in Windows Server R2 is the first step to integrating Active Directory identities with the identity metasystem, but Cameron wants this to work with more than just Windows. The first ever demo was with a Java-based security token service from Ping Identity, running on Linux.

Microsoft isn’t the first company you think of when you’re talking open standards and security, to help people trust the metasystem and InfoCard, he’s been thrashing out the seven laws of identity needed to ensure both privacy and security on his blog.

Like everyone, Cameron has had problems with passwords and online security. On one holiday he logged on to his bank account from an Internet cafe in Italy and it was only when money went missing that he remembered the camera pointing at the screen. But he’s also seen how information becomes more accessible as technology moves on – and how that’s not always a good thing.

He came to Microsoft when they bought ZOOMIT, the company, where he developed the metadirectory that became Microsoft Identity Integration Server. Metadirectories bring together information that used to be in separate systems. You can get at your email and the Lotus Notes discussions you’re involved in and the company databases you have access to without typing in a user name and password three or four times. With a metadirectory, administrators can manage user information, provide access to disparate systems, manage workflow, audit who accesses what and when – and remove users when they leave the company without having to do the same thing in every separate system by hand. Workflow gets built into Windows in WinFX and Office 12, with a graphical interface that makes it easy to grab information from almost anywhere and make it part of the way your business works.

But anything that brings together all that information is a tempting target for hackers (one of the main criticisms of the government ID Card plans is that they create the biggest honeypot you can imagine). And there are privacy issues even with legitimate users. Back at ZOOMIT, there was a metadirectory covering employees and a web interface that turned the staff list into a set of web pages. Kim thought everyone would want their own web page with a photograph; he quickly found out that while some people want to talk about who they are, there are just as many people who want to keep things more private.

That’s why the first law of identity says that your details only get revealed with your consent, and the second says ‘don’t hand out any more details than necessary’ – because if users don’t trust it to keep things private, the identity metasystem will never succeed.