As for providing security assurance, CardSpace is built on standards such as WS-Trust, Secure Token Service, and WS-Security. As a result, CardSpace benefits from the public security reviews of these standards. And because both CardSpace and OpenID are open architectures, thorough security reviews of each are possible.
The biggest threat to individuals is the so-called “social engineering” that any identity system allows. Of these, phishing poses the biggest threat at present, and OpenID, like any Web-based authentication scheme, is especially vulnerable. CardSpace’s identity selector was invented specifically to foil phishing and related attacks. Moreover, CardSpace’s rigid insistence on a consistent user experience reduces the diverse authentication contexts users face when tapping Web-based authentication technologies, thereby increasing the likelihood that they will recognize something out of the ordinary when asked for credentials.
Crossing the identity chasm
User-centric technologies have already demonstrated that they can solve many of identity's most difficult problems. Yet user-centric identity currently stands overlooking Geoffrey Moore's product adoption chasm, having won over enthusiasts and visionaries, but awaiting widespread adoption from the more pragmatic early majority on the other side. To cross that chasm, user-centric technologies will have to pass several milestones in the next 12 to 24 months.
First, user-centric identity will need to be incorporated into more of the products enterprise users buy. “The challenge is that the pieces aren’t there for organizations to deploy,” Sxip’s Hardt says. “If CA ships it with SiteMinder, then it’s a configuration decision. When Microsoft ships ActiveDirectory with CardSpace built in, issuing managed cards will be easy.”
Burton Group’s Neuenschwander agrees. “On their own, they’re not likely to be deployed. Enterprises will deploy OpenID and CardSpace through a federation or ESSO [enterprise single sign-on] product. That will be a safer and more functional way for enterprises to acquire and deploy these technologies,” he says.
As for the likelihood of either technology gaining widespread vendor acceptance over the short term, Neuenschwander adds, “Most of the federation vendors are going to support interaction with CardSpace. For one thing, it will get them single sign-on capabilities with Microsoft environments like SharePoint and Exchange. That’s all rolling out over the next year.”
A related component is the identity selector itself. Microsoft has included it in Vista, but getting the identity selector anywhere else requires downloading and installing it. Incorporating identity selectors into the OS without a separate download will increase penetration and will eliminate one side of the chicken-and-egg problem that enterprises face with CardSpace in b-to-c scenarios.
On the standards front, OpenID 2.0, with standards for user-attribute exchange, is an important milestone. For CardSpace, watch for the ability to synchronize claims among multiple machines, including mobile claims functionality.
Although there’s still much to be done before most organizations will embrace these technologies wholeheartedly, some deployments are already under way.