Saturday, November 17, 2007

CardsSpace as a Password Protection Module


Since the inception of FORMS in HTML, nothing really has changed for the password input fields. Though password is supposed to be secret and holds the key to a user's session, it is treated at par with the other fields in the FORM, differentiated only by an attribute. There seem to be no real standards that mandate the way this "form data" is to be sent to the server in a protected manner. Though sites do use SSL or Hash the passwords, many still send them as plain text. Additionally, keylogger malware and phishing attacks against passwords are common. To protect against this, people have on screen keyboards and other mechanisms, but the environment is still very unprotected.
People have tried to overcome this limitation by giving elevated status to the the password collection by collecting credentials in a secured environment. This patent details the idea of protecting the passwords on the web against various threats.
It has been quite some time I had been working on CardSpace and I was wondering if CardSpace can actually be used as a password protection module. The architecture of CardSpace claims that the Identity Selector is a protected environment for the Windows Operating System. As discussed in the architecture presentation, no external programs can have a hook to this protected environment, that is supposed to be similar to the Windows login (or the Ctrl+Alt+Delete) screen.
The business case for using CardSpace as a password protection module ( PPM ) is simple. A bank that currently issues passwords to its customer (in addition to one time passwords like securid) would issue the users, a Card. There could be an attribute that is unique to the bank so that only that card shows up when the Identity Selector pops up in the login page of the bank. Hence, in the case, the bank acts as both the identity provider and the relying party.
Given the inherent nature of CardSpace, the architecture claims that it is secure from phishing, and key logging, as talked about in the Video. The idea of using certificates and protocols of sending credentials on the wire as industry standards, hence ensuring theoretical correctness.
This can also be integrated with other security mechanisms like SecurID or One Time Passwords very easily. Development kits already exist for Java and .NET.
To summarize, although federating identities across web sites may not have hit mainstream yet, this component of the Identity MetaSystem can be leveraged to give the users, enhanced security when they log in. I think it is time that the password fields graduate from being a FORM control, to a component of a full fledged secure authentication system.

No comments:

Post a Comment