Online authentication methods: Personal information cards and Web SSO

Learn more about information cards authentication and how it can help lock down online authentication at your organisation.

Half the battle of getting visitors to register with your website is not putting them off with a complex registration process, while the headache for site administrators is managing and safeguarding all those usernames and passwords. Many security pros often ask: What’s the best technology to enable both easy and secure website registration?

One problem with OpenID is that it can be susceptible to cleverly crafted phishing attacks, but when combined with information card authentication, the chances of a phishing attack being successful are greatly reduced.

Among the online authentication methods available, one possible choice is to use OpenID, an open source authentication protocol based on HTTP redirection. It enables users to login to an OpenID-enabled site using their own OpenID identifier and password rather than having to create another set of credentials.

An alternative authentication method -- or, indeed, a complementary one -- is information cards. Information cards are open, vendor-neutral industry standards for managing and sharing digital identities; probably the best-known implementation is Microsoft Windows CardSpace, though other members of the Information Card Foundation include Equifax Inc., Google Inc., Oracle Corp., PayPal and Verizon Corp.

Rather like digital certificates, an information card relies on someone to issue it, but, in this case, the issuance is done by the identity provider as opposed to the certificate authority, as with PKI. The identity provider can be any business that needs to issue identities to its employees or customers, or a government or online service that verifies personal data, such as date of birth. An information card issued by a third party is called a managed card, and can contain any information the user has shared with the third party. For example, an airline website could issue a mileage club information card so members could prove their level of membership and how many miles they have to spend. Likewise, a business could issue a card to employees containing their job title and role to be used for access control decisions. Individuals can even self-issue personal information cards, much like a business card.

The data points carried in information cards are called 'claims' and are cryptographically signed by the provider. Services that accept digital identities as a means of authentication or verification are called relying parties. Anyone using a digital identity is called ‘the subject’ and he or she can choose which information from his or her digital identity to provide to the relying party.

Managed information cards can be of three different types: auditing, non-auditing or auditing-optional. Auditing cards require the identity of the relying party site to be disclosed to the identity provider. This can be used to restrict the sites to which the identity provider is willing to release information. The personal information that a managed card represents is maintained by the managed card provider. Only the card name, the date the card was installed, a ‘valid until’ date, and a history of the sites where the card was used are stored on the user's computer. This card definition file is a XML document the user downloads from the card provider.

To enable a website to support information cards, either add a code module or use an outsourced Web service; neither option should take more than a day to implement. For example, Bandit Python RP allows python developers to integrate information cards into their applications, and, for those using the Drupal or Joomla CMS framework, information card modules already exist and can be added without programming. There is also a plug-in allowing authentication using information cards for the popular blogging application WordPress.

Windows developers can also make their .NET applications identity-aware with Microsoft Windows Identity Foundation. In addition, the Active Directory Federation Services (ADFS) 2.0 add-in for Windows Server 2008 provides claims-based federated identity management. By adding ADFS 2.0 to an existing Active Directory deployment, administrators can allow users to log in once to a Windows Server, and then use their credentials to sign into any applications on the network or cloud that can accept a SAML 2.0-based token.

The information card user has a digital wallet called a card selector, such as Microsoft's Windows CardSpace or Novell Inc.'s DigitalMe. Internet Explorer obviously supports CardSpace, while Firefox supports CardSpace via the IdentitySelector plug-in and supports DigitalMe on Mac OSX and Linux systems.

When someone using CardSpace visits a website that accepts an information card, the CardSpace application shows which cards the user has that meet the requirements of the site. Before submitting the card, the user checks to see what personal information will be sent. Like other card selectors, CardSpace checks the URL of the site and issues a warning if it's the first time an information card is being submitted to the site. This is intended to combat phishing attacks. Another safeguard is that each card is encrypted specifically for each relying site so it can't be reused at another site.

One problem with OpenID is that it can be susceptible to cleverly crafted phishing attacks, but when combined with information card authentication, the chances of a phishing attack being successful are greatly reduced. This is because, even if a user is tricked into trying to log in to an imposter site, the information card, with its use of distinct keys for each site, would make the login fail. Information cards can also be protected with two-factor authentication to prevent unauthorised users from accessing them.

One security benefit for the users of information cards is the simplified encrypted authentication that does not require a username and password for every website. Sites can operate both access methods at the same time as well: Customers with information cards can use them, while others can log in with a username and password.

One potential issue is portability. Windows CardSpace selector stores cards locally on a machine, which ties access to that machine for those sites and applications. The Azigo selector stores them in a secure online service, and both CardSelector and DigitalMe intend to offer local and remote options.

A potential alternative to Microsoft CardSpace is U-Prove, which lets users federate identities across trusted domains and provides multi-party security: Issuing organisations, users and relying parties can protect themselves, not just against outsider attacks, but also against attacks originating from other issuing organisations, users or relying sites. Windows CardSpace 2.0 (U-Prove CTP) is a U-Prove-enabled version of Windows CardSpace 2.0 that has the ability to obtain, store and present U-Prove tokens associated with an information card. As you can see, innovation in this area is moving quickly, but it's well worth keeping up to date, as the search for a secure Web SSO solution that becomes the de facto Internet standard comes closer to fruition.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.

Read more on Identity and access management products