WARNING: THE FINAL SENTENCE OF THIS POST MAY GROSS YOU OUT!
Hey All,
I went to another MSDN event yesterday, mostly for the AJAX.NET stuff, but the first presentation was for CardSpace. The only thing that I knew about CardSpace before the presentation was that it is another personal authentication management system. After the presentation I was thinking that identity thieves must be rejoicing. This system seems to ignore every single studie that I have read on the matter, and bypasses all of the safeguards that have been put into place over the past few years as well. Its basis is a local store for single click proxy authentication by identity stores.
I'm not going to get into any of the details, but the entire system relies on the fact that only the true owner will have access to the cards. If someone were to steal your HD, copy your HD, or export your CardSpace information to another computer, you are screwed. CardSpace does not only contain references to your personal information, it also contains a history of every site that has requested information from your CardSpace store. No longer will identity thieves need to work very hard at getting your personal information, they can just take it from your computer.
The presenter did say in a lowered voice that CardSpace is currently not being used (nor is it ready) for secure sites and that there hasn't been any studies for its use in these areas, but she did say that it is ready for all other types of use. All I can say is that CardSpace in its current form would be a total waste of time to implement on any system. Until there is a complete safe and secure way to bypass Login/Password requests, logins and passwords will be required for all types of secure authentication. To ensure the safety of the user, biometrics and other forms of authentication can only be used as secondary forms of authentication as this other information can be forcefully removed from its owner.
Take it easy,
Bill