Though CardSpace can be used for logging on to any type of application, its main selling point is that it can provide a secure logon to Web sites. It was built on Microsoft's vaunted .NET Framework (version 3.0), and was originally known as InfoCard when it was first announced in 2005. On Web sites using CardSpace, the user bypasses the standard user ID and password input fields in favor of clicking on a CardSpace logo to access a Web site.
Once users register with the Web sites they want to access using CardSpace, a logo will appear when they visit that site instead of a standard logon screen. But CardSpace needs two to tango. The dance partner, meaning the Web site requiring authentication, must be able to interoperate with CardSpace and provide the digital identity information needed by CardSpace to authenticate the user. The CardSpace is actually an XML file stored on the user's desktop.
Users have different CardSpaces for each site requiring authentication. Each CardSpace file is unique, only holding the specific identity credentials for one Web site. This is an extremely simplified explanation of how a user accesses a Web site with CardSpace. The different parts of the system and the contents of each CardSpace file are beyond the scope of this brief discussion. The key point to remember is that CardSpace is what is a called a digital identity, that is an identity profile replacing simple user IDs and passwords.
Both the user and the Web site use digital certificates to mutually authenticate each other. CardSpace can also be beefed up by combining it with other forms of authentication like smart cards.
The key difference between CardSpace and user IDs and passwords is that CardSpace doesn't contain any real user credentials. So, unlike user IDs and passwords, which can be sniffed when sent over the Internet, CardSpace only sends encrypted tokens, which can't be compromised if captured en route. This can also prevent phishing attacks, since there isn't anything an attacker can grab off the wire and use. In addition, CardSpace uses digital certificates to mutually authenticate users and Web sites to each other, which also defeats phishers.
CardSpace has its issues, notably portability and interoperability with non-Microsoft platforms. Since CardSpace files are stored on individual desktops, they aren't portable for users who access their applications and Web sites from different workstations. CardSpace files, however, can be stored on USB keys and installed on other machines. It's also Windows-centric. CardSpace is available for Windows Vista, Windows XP and Windows Server 2003. Microsoft says it has designed CardSpace to work with standards-based identity metasystems that are platform independent.
CardSpace is still in its infancy, but it's an interesting technology to watch. If it takes off, it could be a more secure authentication system than standard user IDs and passwords.
For more information:
Dig Deeper on Web authentication and access control
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ... Continue Reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.