As simple as it is, it??™s clear that adoption of Information Cards
as an authentication mechanism will happen over time. Despite the shortcomings
as an authentication method, passwords will remain in widespread use until
a viable replacement attains complete ubiquity. Until then, websites need to
start enabling technologies beyond passwords without replacing them entirely.
This is called hybrid authentication.
Hybrid authentication is expected to comprise the majority of RP implementations
in the foreseeable future. Most of the guidance in this chapter revolves
around changes to websites enabling Information Cards alongside password authentication.
For scenarios that extend beyond the speci?¬?cations laid out here,
take the time to examine the scenario for usability, security, and scalability
issues.
Servers should be
synchronized to the
current time
276 Guidance for a Relying Party
Consider the use of EV certi?¬?cates, if possible. EV certi?¬?cates are
not required, but for businesses that believe their online identity
bene?¬?ts from the greater assurance afforded customers, these
certi?¬?cates can prove invaluable. Because EV certi?¬?cates require
more time and effort to secure, and are limited to protecting a
singular domain (wildcard EV certi?¬?cates are not permitted),
they should be acquired earlier rather than later.
Pages:
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409