CardSpace & Why it's More Secure

We've been teaching quite a few .NET University sessions across the southeast over the past couple of months.  Overall, these sessions have been a big hit.  While of course we get a ton of great technical questions each session, the one that comes up quite a bit is regarding CardSpace and why it's a great solution (or is it?).

One of the problems we identify in the digital identity management space is that users, often in frustration, use the same usernames and passwords across multiple sites.  When users do diversify, they often use an unencrypted file on their desktop to store their credentials -- after all, who can remember a dozen usernames and passwords.  There's seldom little verification in the credentials users provide, and the end-user experience is inconsistent.  The claims that each issuer asserts (such as first name, last name, e-mail, etc.) varies greatly, but there's no centralized way to manage your information. 

So, one of the biggest concerns people have after seeing us demo CardSpace is: what happens if my machine is stolen or has unauthorized use?    Wouldn't this increase the likelihood of a problem by having all of the cards on that machine?

The answer is:  maybe.  CardSpace isn't about protecting your credentials on your machine (it's digital identity management vs. physical security), it's about: protecting your credentials from interception (phishing, which has increased dramatically over the years), it gives the end user more comfort in deciding who to trust with their information, it provides a consistent user experience across otherwise disparate systems, and it's built to support WS-* specs. 

Your machine is much like your wallet.  If your wallet is stolen, you have a certain degree of exposure.  We do, of course, recommend that people enable pins on any cards that hold sensitive information.  And, just like cards in your wallet, it's very easy to cancel cards through the identity provider, as well as track card usage -- something that is not so easy to do today.  So what are we doing about physical security?

BitLocker.  Bitlocker is a technology in Vista that allows you to encrypt your entire hard drive.  Because this is implemented below the driver level, it is completely transparent to the end user, and has no performance degradation.  In order to use BitLocker, you need either a TPM 1.2 (trusted platform module -- it's built into the motherboard typically) or a USB key.  The USB must have be usable from the BIOS (that is, doesn't need a driver from the OS), as the the key must be read prior to boot. 

Without getting into specifics (perhaps a future post?) what this does is prevent your drive from being booted on another machine, or even as a different volume on the same machine.  The drive, without the proper key, will look like complete garbage.  So, not only would your CardSpace cards be encrypted, but your entire drive would be as well.  (And frankly, if my laptop was stolen, it's the contents on the drive -- source code, email, spreadsheets, etc. -- that would worry me more than my cards.)

So, there you have it -- BitLocker and CardSpace to solve the physical security and digital identity problems.  One of the cool things you can do with CardSpace is create a self-issued card ... basically, you are asserting pieces of information about yourself in a noncorroborative way.  

Why is this cool?  Well, think about discussion forums or other places on the internet where having an account is important, but doesn't need any substantiation.   (Even on my site, I allow anyone to create an account to set up a WorldMap account or view pictures.  It doesn't really matter if the claims made by these folks are genuine, only that they go through the process.)  CardSpace allows users to create these self-issued cards ... so stay tuned ... I hope to post more in depth info on these and similar technologies.

Comments (4) -

james peckham
james peckham
4/26/2007 11:30:27 PM #

uh if i'm using bitlocker, then why wouldn't i just keep a spreadsheet with my passwords, easier than using cardspace AND trying to remember passwords for all of the sites that don't use vcard. I don't think from a user perspective they're going to adapt yet another security device, as you said things are already inconsistent enough, you're just adding one more to the pile.

4/27/2007 4:45:48 AM #

additionally, wasn't .net passport attempted a couple years ago, to do something simliar? what ever happened to that?

4/27/2007 9:47:39 AM #


If you're using BitLocker and want to use a spreadsheet -- go for it.   That does provide decent protection of your passwords.  But, consider:

Does it do anything to protect you from phishing or phraud attacks?

Will you use BitLocker on every machine you have your passwords on?  (BitLocker isn't available on most home versions of Vista.)  What about previous XP installs you may have?

Do you gain any protection from who has your data and how securely they use it?  (If one vendor follows all the best practices by properly securing your credit card and PII, great -- but another one may not.)

You make a valid point that, at present, it's just one more authentication scheme on the pile.  That would be true of any new system though -- there's no way to avoid that.  But, as more adopt it (and more are adopting it), you'll see that it's actually easier.  It gives you a consistent UI, better security, standards support, etc.

In the meantime, I think using BitLocker -- with or without CardSpace -- is a smart idea!

4/27/2007 2:54:25 PM #

Ah yes, Passport! 

It still lives.  We sometimes joke that Passport is actually great ... if we could only get everyone to use it. 

Here's the problem with Passport.  It's difficult to implement into a site ... CardSpace took me a weekend and most of that was retrofitting my site to use it.   It's expensive, and it's proprietary.  You need to trust Microsoft with your data. 

With CardSpace, it's much more open.  It's built on open WS-* standards.  You choose which providers to share your information with.  In some cases, you can share more, or less.   If you want to accept unmanaged cards, like I've done on my site, it's free.  Otherwise, you'd pay the provider much like you'd pay for a certificate now.  And much like a card in your wallet, if you choose to, you can revoke or cancel the card.   Deciding which sites to share your data with is much easier and more transparent to you.

Comments are closed

My Apps

Dark Skies Astrophotography Journal Vol 1 Explore The Moon
Mars Explorer Moons of Jupiter Messier Object Explorer
Brew Finder Earthquake Explorer Venus Explorer  

My Worldmap

Month List