The Identity Crisis - Are CardSpace and OpenId Viable?

I put together a presentation on Identity solutions for the Richmond for the Code Camp last Saturday. The main reason I wanted to give this presentation so I could learn more about the two authentication methods that are being developed to make our online experiences more secure and easier for average users to use.

Problem 1: Security

As the stories have mounted lately, it has become more and more obvious that we as an online community have a major issue with securing individual's personal information. In order to help with this all financial institutions have implemented a Two Factor authentication methodology. The only problem is most have not truly implemented this scheme.

What we typically get is the end user, that would be you, answering a series of questions about yourself, such as where you went to High School, what your mother's birthday is, etc. On top of this you typically have the ability to implement a custom image for you to identify this is the bank's web site. This helps deter phishing attacks because you should only have your image on the bank's real site.

While most people have the patience and ability to remember all the information, it is not a perfect solution. It does burden users to know a lot more just to get in to see if they still have any money in their account. I think this approach was perfectly lampooned on last month. So we still need to find a much easier to use solution.

Problem 2: How many Username and Password Combinations can we Remember?

How often have you locked yourself out of an important vendor or bank's web site because you ran out of chances to guess what funky strong password you were forced to use on their site and no one else's? I mean right now I am locked out of an important vendor's site that I need to pay! It is very frustrating for everyone. So a solution without numerous or any passwords would be much more desirable.

Possible Solution 1: OpenId

OpenId is a solution being developed by a group of technologist where authentication is done through independent third party providers, such as In this model a user creates and manages a series of personas on an OpenId provider. Your OpenId is managed through a unique URI that is yours and yours alone.

A site requiring authentication will take the user from the site to their OpenId URI, which is their OpenId provider's site. From there they will select what information they wish to provide to the site and eventually be routed back to the original site.

Possible Solution 2: CardSpace

When Microsoft released the .NET 3.0 framework it included a new identity concept called CardSpace. At first I was real excited about the possibility of CardSpace, primarily because it addressed a major problem in managing multiple usernames and passwords. Basically it works by managing a set of personal identity cards that can either be self issued or managed. Self issued cards are actually created and managed completely by the end user. Managed cards are produced and verified through a third party authentication service.

Basically a site supporting CardSpace will allow the user to authenticate through CardSpace with an Icon that executes client-side script when clicked. This will invoke the CardSpace environment on the user's computer. The user will then chose which card and what information in the card they want to share with the site.

Conclusions from My First Identity Presentation

The Identity presentation went better than I expected. I was real worried since the laptop I was using only had IE 6, so I could not do any CardSpace live demos, which points out a flaw in the design of CardSpace. It only supports IE 7 and some versions of FireFox can have a hack installed to make it work. I also talked about and showed OpenId to the group. Both have some serious usability issues. I think there are two things that will keep either from actually being accepted, usability and programmability.

With any public facing technology you have to see if it passes the Mom factor. Neither of these techniques really can pass that test. It has to be easy to use for the most novice user. As I go through and show how each step works more and more the feedback I was getting from the crowd is this is too hard. And I never got to actually programming either. They are right, each new step you introduce into the flow of 'checking out' or desired action response, such as signing up for a news letter, it will reduce your actual conversion rates by a factor. That is why Amazon installed the one click checkout process. The average user will not deal with all these steps and will get scared real fast, especially when they are confronted with a dialog for a non-SSL site to view their grandchild's photos and they are told this is not secure. Managed cards yes, but they too are extremely complex processes to an average user.

As far as CardSpace is concerned it needs to be moved from the Control Panel to a regular accessory. Anything in Control Panel will immediately be a no go for average users. Many corporate environments will not allow access to it anyway. I can right now, but I am not allowed to have anything but IE 6 on my machine and most likely IE 7 is a long way off from being adopted. So CardSpace is a no go there too.

I also think it is very bad precedent that Microsoft itself does not leverage CardSpace as an authentication option.  In fact they need to 'fix' their SSL login page to reference the images on the page via SSL.

Not to lay all the cons on CardSpace, OpenId has some serious user acceptance factors to overcome as well. The main thing is leaving the site to be authenticated on and taken to your OpenId factor. Granted anyone who has setup an OpenId should understand what this is doing or what is going on. The average user will have a hard time groking this concept. So this leaves OpenId solely in the hands of true geeks and even then I think just a very small portion of us die-hard web programmer types. So while I like the general concept of OpenId as a way to manage online identity I think it has most likely hit most of its true acceptance audience. It will be perpetually stuck, like Linux, with a small die-hard group of geeky supporters with no main stream acceptance what-so-ever. And no real hope of wide-spread acceptance.

Both have to undergo a paradigm shift that will only happen when two things are done, it is easy for entry level programmers to implement, such as Forms authentication. That will get it implemented every very quick. There are some controls available, but honestly I have not gotten a single one to work yet. I am still trying. Next it has to be simple for end users to do. We cannot add too many more steps to the process, that is just not acceptable. We cannot scare users anymore than they already are.

I think of the 15 or so attendees to my Identity talk Saturday, none felt too comfortable about implementing either methodology. But we all agreed we need something better than the myriad of username and password combinations we are all tortured with these days. So we are listening and waiting. I guess a few of us need to actually do something!

Share This Article With Your Friends!