Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
Though CardSpace can be used for logging on to any type of application, its main selling point is that it can provide a secure logon to Web sites. It was built on Microsoft's vaunted .NET Framework (version 3.0), and was originally known as InfoCard when it was first announced in 2005. On Web sites using CardSpace, the user bypasses the standard user ID and password input fields in favor of clicking on a CardSpace logo to access a Web site.
Once users register with the Web sites they want to access using CardSpace, a logo will appear when they visit that site instead of a standard logon screen. But CardSpace needs two to tango. The dance partner, meaning the Web site requiring authentication, must be able to interoperate with CardSpace and provide the digital identity information needed by CardSpace to authenticate the user. The CardSpace is actually an XML file stored on the user's desktop.
Users have different CardSpaces for each site requiring authentication. Each CardSpace file is unique, only holding the specific identity credentials for one Web site. This is an extremely simplified explanation of how a user accesses a Web site with CardSpace. The different parts of the system and the contents of each CardSpace file are beyond the scope of this brief discussion. The key point to remember is that CardSpace is what is a called a digital identity, that is an identity profile replacing simple user IDs and passwords.
Both the user and the Web site use digital certificates to mutually authenticate each other. CardSpace can also be beefed up by combining it with other forms of authentication like smart cards.
The key difference between CardSpace and user IDs and passwords is that CardSpace doesn't contain any real user credentials. So, unlike user IDs and passwords, which can be sniffed when sent over the Internet, CardSpace only sends encrypted tokens, which can't be compromised if captured en route. This can also prevent phishing attacks, since there isn't anything an attacker can grab off the wire and use. In addition, CardSpace uses digital certificates to mutually authenticate users and Web sites to each other, which also defeats phishers.
CardSpace has its issues, notably portability and interoperability with non-Microsoft platforms. Since CardSpace files are stored on individual desktops, they aren't portable for users who access their applications and Web sites from different workstations. CardSpace files, however, can be stored on USB keys and installed on other machines. It's also Windows-centric. CardSpace is available for Windows Vista, Windows XP and Windows Server 2003. Microsoft says it has designed CardSpace to work with standards-based identity metasystems that are platform independent.
CardSpace is still in its infancy, but it's an interesting technology to watch. If it takes off, it could be a more secure authentication system than standard user IDs and passwords.
For more information:
This was first published in February 2008