Using a (username
and password)-backed card mitigates many of these problems.
For starters, it??™s just a single username and password that users need to remember
to use their card. That card can then be securely reused at a number of RP
sites, so the total number of passwords the user needs to keep track of can be
signi?¬?cantly reduced. Now one password can securely be used to log the user
into many different sites. This helps reduce bad password practices and improves
security by only having one party for which the user uses a username
and password.
However, it doesn??™t make username and password suddenly more secure. There
are still risks; they have just been reduced. If a malicious party tricks users into
using their username and password at their site, it can reuse the credentials to
authenticate to the Managed Card provider, which isn??™t possible with the other
credential types. So, although there is some reason to use username and password,
the main reason is probably still to allow IPs a baby step while switching
over from username and password authentication to using Information Cards.
199
Makeup of a Managed Card
The Managed Card contains the information that CardSpace
needs to contact the IP STS and request a security token.
Pages:
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320