Pat, Ben, and Kim have been talking about the use of password tokens for use with Windows CardSpace. Pat’s detailed description of how this could work is quite useful, and can be extended in some interesting ways:
1. Create a single-use password deployment
If we change the default WS-Sec username/password token to not only include the username and the password needed to login, but also a newly IdP generated second password that replaces the old one on the RP, we would get a single-use password. This might be quite useful for improving the security of the system.
For the rest of this article, I will call such a token “Extended Username/Password token” (EUPT).
2. Creating an account at the RP
One of the issues that Kim has an issue with is that for bootstraping into a CardSpace password manager setup, the user would be required to enter the initial password into a web form. I agree that this *is* bad, but an extended username/password token could help here, too:
When the user does not yet have an account at the RP, he will need to login at a special URL. That URL accepts cards that support EUPTs. When the user creates the account, the RP will accept an EUPT with *any* values. These initial values (username AND password) are randomly generated at the IdP. Upon receipt of the EUPT, the RP stores the username and the initial password and associates it with the newly created account.
Time permitting, I will work with Pat to get this done, at least on the IdP side.