Two factor authentication for CardSpace


Though the CardSpace adoption meter shows only a 10.2 % capability to use CardSpace as on October 2007, many early adopters have been talking about the usage of CardSpace for payments. The proposals range from using the cards as an authentication mechanism in the existing schemes to embedding the payment information right into the cards. However, when it comes to financial transactions, many banks are still skeptical about a scheme were the user login is protected only by a password. It would be a great selling point for CardSpace to demonstrate stronger authentication mechanisms to enable banks adopt the technology.
This post explores the usage of two factor authentication schemes to secure the card sessions. I was playing around with the RSA SecurID for some time, and realized that integrating and deploying two factor authentication into existing banking systems can be very simple. Everything from the user identity store to the existing token distribution among the customer base can be reused.
A simple Java based CardSpace implementation is available at The code, hosted on Google code repository, can be tweaked to use custom user management. A sample Access management module for OpenSSO is also available. User authentication using RSA SecurID can can be done in a similar fashion. Currently, XMLDAP uses a derby database to store user information. In the code, a DAO layer takes care of the actual database communication. This can be changed to point to either the RSA Radius Server, or any other existing store. The code for this is available in the org.xmldap.sts.db.impl.CardStorageEmbeddedDBImpl class. The method public boolean authenticate(String uid, String password) does the user authentication. To introduce SecurID authentication, this is the method that requires to be changed. As described in the RSA SecurID ToolKit, a code that resembles the snippet below can be used to do authentication with SecurID.

AuthSessionFactory factory = AuthSessionFactory.getInstance("c:\\Data\\workspace\\openinfocard\\conf\\rsa.config");

AuthSession session = factory.createUserSession();
int status = session.check(userName, password);
switch (status)
case AuthSession.ACCESS_OK:
case AuthSession.NEW_PIN_REQUIRED:
case AuthSession.NEXT_CODE_REQUIRED:
result = true;
default :

System.out.println("Status : " + status);

With the ability to now use custom error messages, it may also be easier to relay the error message that the SecurID shows on an unsuccessful login. However, supporting the "next token code mode" for the SecurID tokens in CardSpace can still be a little trickier.
As described above, cards are now secured with two factor authentication. The potential ease of implementation and deployment should serve as a compelling fact for bank to adopt CardSpace as a payment mechanism. This method is definitely more secure that traditionally entering user credentials at the browser. Please do let me know if you want to see a working version of this experiment.