Having worked on a authentication concept with MSFT for eBay sellers, I had mixed feelings about this [Microsoft's decision not to ship CardSpace 2.0 - Kim]. On one hand I was on the record not supporting the use of CardSpace for eBay sellers (or buyer). On the other hand I am concerned that technical community discounts the significance of Claim Based identity altogether and concludes that “FaceBook Conncet” is all we'll ever need.
There is a good reflection (from an insider's point of view) on Card Space here. (courtesy Gunnar Peterson) My personal view (and the reason I didn't support the adoption of Card Space at eBay) though centers around the challenges of “Change of Behavior” required by Card Space.
Basically, CardSpace failed b/c it requied uses to change their behavior. See, the “User name and password” protocol (a simple challenge and response) IS a protocol, one where a human being (a normal user) is a participant in. It has taken about 20-30 years (depending on how you count) to train users what to do when they see a “login panel” , the “login panel” contract is so widely understood that despite all of its short coming is the most viable remote authentication protocol we have today. It is flawed, it is costly, it is not secure, but it is a widely understood by users on the other end of the protocol. CardSpace, despite all its advantages, was not understood, would (and did) make people confused, they did not know what to do when the CardSpace screen popped up … a technology whose adoption depends on change of a strongly learned behavior is unlikely to succeed (or at least I didn't think eBay sellers – not the early adopters of technology – would learn and accept it).
It also didn't help that a lot of browsers didn't support it (installing a plug-in does not count), and the fact that developers didn't know how to issue cards (or validate, update or revoke them).
Having said that, I did like the idea of decentralized identity provider and not having any one identity provider to be THE identity provider that everyone else had to rely on (putting user in control of their own identity). Compare this with a world where one identity provider (be it facebook or Google or twitter or anyone else) is the dominant identity provider because it is easy for RPs to embed a simple button and for users to click on it.
Reading Farhang's post, here's what I find most interesting. It was never that users decided they didn't want ”a change of behavior” around passwords. Instead it was web properties like eBay (and a thousand others) who came to this conclusion. Many of the people designing those properties worried that providing users the option of changing their behavior was too dangerous – especially since it was not essential…
In the history of computing there have actually been plenty of cases where users DID change their behavior – even though at first only a few people could understand or use the new alternatives. But those “early adopters” were able to try the new inventions on their own. They didn't need anyone else to approve something or decide they would like it first. Once convinced, they could show the new ideas to others.
When Visicalc appeared, I don't know how many people in IT would have bet that every accountant in the world would soon be throwing out his pencils and starting to use spreadsheets for things no one can even now believe are possible! The same is true for a thousand other applications people came to love.
But because authentication doesn't stand on its own, users never got the chance to start using Information Cards “just because they felt like it”. They needed web sites to make the same bet they did by implementing Information Card support as an option.
Web sites didn't want to bet. They wanted to keep to “the matter at hand” and prevent their users from getting lost or distracted. The result: a preemptive chill settled over the technology, and we never really got to see what users would make of it.
My conclusion: regardless of what new features they support, user centric identity solutions need to be built so they work with as many existing web sites as possible. They can't require buy-in from the all the big web sites in order to be useful.
I think we should have included a way for Information Cards to support password-based sites. It was possible. I personally avoided it because I was worried it would be unreliable and not work at all sites.
Yet a lot of password managers do this, and Dick Hardt's SXIP system combined this approach with support for new protocols. I think that aspect of his work was probably right.