Introduction to Information Cards

Sign in to queue



Last week we discussed OpenID, one of the identity technologies you should care about.  Today we'll talk about "Information Cards", another open standard for identity on the web.  We'll fill out the series by discussing BBAuth and Live ID in future posts.

The quickest way to understand "Information Cards" is to look at this one-minute screen cast.  It demonstrates login without password using both Internet Explorer and Firefox.  The user simply presents an "information card" to the site, and is safely logged in.



Business Case: if you enable people to use Information Cards to login to your site, your users will be able to login with a safe, consistent phishing-resistant user interface that doesn't require username and password.  People can use a shared "Information Card" across multiple sites for convenience without compromising their login information (similar to using a shared OpenID across multiple sites).  But more importantly, the "Information Cards" protocol is designed for use in high-value scenarios like banking, where phishing-resistance and support for secure authentication mechanisms like smart card are critical.

Protocol: Information Cards are based on open standards.  Anyone can implement, issue, or accept Information Cards.  Information Cards are composed using WS-* specifications instead of HTTP redirect, so the specifications are significantly more complicated than OpenID.

Industry Situation: A number of platforms can easily accept Information Cards for login.  It takes just a few minutes to enable Information Cards on ASP.NET, and code is available for Ruby, Java, and PHP.  Once a web site is configured to accept Information Cards for login, users can login from Windows (using Windows CardSpace), and soon from Mac and Linux.  In fact, just a couple of weeks ago at Burton's Catalyst conference, 11 different clients and 24 different servers participated in an interop demo.

Analysis: Information Cards can be considered to be a "heavier" protocol than the other technologies (LiveID, BBAuth, OpenID).  But when you want password-less login, phishing-resistance, and consistent cross-platform UI; they are essentially the only option.  And Information Cards are complimentary to the other technologies (as we saw with OpenID last week) in that you could use an Information Card in place of username/password to authenticate against one of the other systems.  You should strongly consider Information Cards (end-to-end, or in conjunction with something like LiveID or OpenID) if your scenario isn't one one where you feel comfortable with the security implications of "password reminder e-mails".



The Discussion

Add Your 2 Cents