Here is a strange one via Pamela Dingle's eternal optimist:
I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built inâ€¦
This kind of dongle plugs in between the keyboard and the computer. So there is one simple solution: don't type in secrets that could allow someone to gain access to your accounts.
- CardSpace self-issued cards ( based on public key technology) and managed cards backed by a self-issued card or certificate would both be immune to this attack – assuming no physical access to the computer itself.
- Normal Kerberos login would be vulnerable.
- Username / password IdP's could be protected from this attack through use of the additional per-card secret described here – assuming non-InfoCard password access was not supported.
- One time password (OTP) systems would be unaffected.
BTW, I now have OTP integrated with my own managed card demo code. When used with CardSpace it has very nice security properties because the channel from CardSpace to the IdP is encrypted using information in the managed card and the password can never be reused.