Windows CardSpace: Consistent User Control of Digital Identities

Think about how people represent themselves today on the Internet. In the majority of cases, a person’s digital identity is expressed as a simple username. Combined with a password, this identity is used to access email accounts, Internet merchants, and even on-line banks and other financial institutions. Yet despite their popularity, usernames and passwords have several drawbacks. Here are the two most important:
 People have a hard time remembering all of the usernames and passwords they’ve chosen for different sites. Many people use the same values for different sites, easing the memory problem but increasing the security risk.
 Usernames, passwords, and other personal information can be stolen by phishers. By sending deceptive emails, phishers entice their victim to log into a Web site that looks just like, say, the site of the victim’s bank. The site is actually controlled by the phisher, however, and so once the victim enters his username and password, the phisher can use this information to masquerade as the user at the real site.
Reducing the severity of these problems requires a new approach to managing digital identities. Windows CardSpace, originally released with the .NET Framework 3.0, is an important part of that approach. To help people keep track of their digital identities, CardSpace represents each identity as a distinct information card. If a Web site accepts CardSpace logins, a user attempting to log into that site will see a CardSpace selection screen . By choosing a card, the user also chooses a digital identity that will be used to access this site. Different cards can contain different information, allowing a user to control exactly what each site learns about her.