EXPERT RESPONSE
First, it's important to note that it's difficult to directly compare CardSpace with a password-based authentication system because they each do different things. Specifically, CardSpace is a Microsoft initiative to replace user IDs and passwords with a digital or virtual identity. The two systems can still be compared, however, in terms of their advantages and disadvantages.
Though CardSpace can be used for logging on to any type of application, its main selling point is that it can provide a secure logon to Web sites. It was built on Microsoft's vaunted .NET Framework (version 3.0), and was originally known as InfoCard when it was first announced in 2005. On Web sites using CardSpace, the user bypasses the standard user ID and password input fields in favor of clicking on a CardSpace logo to access a Web site.
Once users register with the Web sites they want to access using CardSpace, a logo will appear when they visit that site instead of a standard logon screen. But CardSpace needs two to tango. The dance partner, meaning the Web site requiring authentication, must be able to interoperate with CardSpace and provide the digital identity information needed by CardSpace to authenticate the user. The CardSpace is actually an XML file stored on the user's desktop.
Users have different CardSpaces for each site requiring authentication. Each CardSpace file is unique, only holding the specific identity credentials for one Web site. This is an extremely simplified explanation of how a user accesses a Web site with CardSpace. The different parts of the system and the contents of each CardSpace file are beyond the scope of this brief discussion. The key point to remember is that CardSpace is what is a called a digital identity, that is an identity profile replacing simple user IDs and passwords.
Both the user and the Web site use digital certificates to mutually authenticate each other. CardSpace can also be beefed up by combining it with other forms of authentication like smart cards.
The key difference between CardSpace and user IDs and passwords is that CardSpace doesn't contain any real user credentials. So, unlike user IDs and passwords, which can be sniffed when sent over the Internet, CardSpace only sends encrypted tokens, which can't be compromised if captured en route. This can also prevent phishing attacks, since there isn't anything an attacker can grab off the wire and use. In addition, CardSpace uses digital certificates to mutually authenticate users and Web sites to each other, which also defeats phishers.
CardSpace has its issues, notably portability and interoperability with non-Microsoft platforms. Since CardSpace files are stored on individual desktops, they aren't portable for users who access their applications and Web sites from different workstations. CardSpace files, however, can be stored on USB keys and installed on other machines. It's also Windows-centric. CardSpace is available for Windows Vista, Windows XP and Windows Server 2003. Microsoft says it has designed CardSpace to work with standards-based identity metasystems that are platform independent.
CardSpace is still in its infancy, but it's an interesting technology to watch. If it takes off, it could be a more secure authentication system than standard user IDs and passwords.
For more information:
Learn the key access management issues of 2008, including remote access, provisioning and Web authentication.
In this expert Q&A, Joel Dubin defines identity propagation and explains how it works.
|
