Cardspace and the KISS Principle

(My original title for this post was “Cardspace, We Hardly Knew Thee”, but Dave Kearns stole that by a nose).

RSA is not the best conference for identity related news and topics, but there were more than a few interesting story lines that emerged last week (and no, I am not referring to what went on at the Ping Party). One of those was the announcement that Microsoft would not be shipping Cardspace 2.0, which is being widely interpreted as the death of Cardspace. Mike Jones points out that this may be an exaggeration, and until I see Pam pronounce it dead, I won’t be writing any obituaries. But I did want to share a thought that has been rattling around in my brain for a while.

The day before RSA started, the Kantara and IIW folks gathered in a studio not far from the Moscone Center for ID Collaboration Day. One of the sessions was about the work that the Universal Login Experience Work Group of Kantara has been doing in trying to solve the usability problem of 3rd party logins at sites that want to be open and accommodating of providers and protocols. And when we look at the Cardspace experience, one thing is crystal clear: it has to be SIMPLE.

Debates over what is simple, which button goes where, how to order things, etc will go on and on. But when I step back and think about it, I see that a good workable model already exists which has gained a lot of traction – that of the browser-based login helper. This goes from Firefox/IE/Chromes in-built password manager, to the venerable Sxipper, to the upstart (but on the rise) cloud-based solutions like LastPass. They solve the problem by giving the user a simple, intuitive UI to work with, without relying on metaphors like cards or avatars. And it is obvious that all the debates about whether users would trust some random service to remember their sensitive passwords goes out the window when it just works.

Sxipper UI (from sxipper.com)
Sxipper UI (from sxipper.com)

Granted, they are dealing with the (relatively) simpler problem of form-filling. But there is no reason why the UX couldn’t be expanded to handle IdP-based AuthN, where instead of selecting the user name in the widget, I select the provider. Having the widget (service) remember which providers I have registered and commonly use, and also remember usage history would not be a problem. And the UX for presenting multiple personae already exists and, more importantly, is understood.

I’m sure there are technical nuances that would need to be solved. But I’m focusing on the specific usability aspect of the problem, and it seems to me that there is already a successful model that can be built upon. And I’m also sure that I am not the first one to think of this, so if there are reasons why this wouldn’t work that have been previously discussed and blogged about, please point me to them. Because it could impact some of the work we are doing at Oracle. And nobody wants us making a mistake 😉

Update (2/22 at 8pm): Kim Cameron wrote a post that seems to at least confirm what I am thinking here.

kiss