Windows CardSpace for IT pros

Getting started with Windows CardSpace

Microsoft Windows CardSpace™ is a system for creating relationships with websites and online services. Windows CardSpace provides a consistent way for:

  • Sites to request information from you.

  • You to review the identity of a site.

  • You to manage your information by using Information Cards.

  • You to review card information before you send it.

Windows CardSpace can replace the user names and passwords that you use to register with and log on to websites and online services.

Windows CardSpace step by step

You can use the following Windows CardSpace steps to send your identity information across the Internet or other networks:

  1. Review site identity information. Before you send a card to a site for the first time, review information about that site’s identity in its certificate so that you can learn more about the site that is requesting your information. You can review the following certificate information for a site:

    • Name—The name of the business or organization

    • Location—The geographic location of the business or organization

    • Website—The domain name of the site

    • Logo—The logo of the business or organization

    In addition, sites can provide a privacy statement that tells you how your information will be used. The privacy statement should state whether information will be shared outside the requesting organization or business. After you send a card to the site, you will not be asked to review the site information again unless:

    • The site states that it has changed its privacy statement.

    • The identity information of the site changes.

  2. Choose a card. If you decide to send a card to a site, view your card collection and choose a card to send. Cards that meet the requirements of the site are highlighted. Different sites require different kinds of cards. There are two types of cards:

    • Personal cards are cards that you create yourself that can identify you to websites or online services. You can use personal cards instead of filling out forms or logging on to sites.

    • Managed cards are provided by businesses and organizations. Examples of managed cards include credit cards and membership cards. Managed cards usually represent information that is issued by the card provider.

  3. Review card data. Before you send a card to a site, review what data is being requested. Sites can also request optional data that you can include when you send a card. You can also review the sites to which you have sent a card in the past.

  4. Send your card. Finally, send your card to the site. Card data is always encrypted before it is sent to the site.

Windows CardSpace and your privacy

Windows CardSpace helps put you in control of your personal information. You decide when and with whom you share this information. Windows CardSpace supports two types of cards:

  • Personal cards are cards that you create yourself. The personal information that you enter on a card is stored on your computer. To help keep it safe, the information is encrypted. The stored information includes personal information such as your name, addresses, phone numbers, date of birth, and gender. Additional card information includes information such as the card name, card picture, and card creation date and a history of the sites where this card was used.

  • Managed cards are created by a managed card provider on your behalf. The personal information that a managed card represents is maintained by the managed card provider that issues the card. That managed card provider stores the information at its site. Some managed card information is stored on your computer. This information includes the card name, the date that the card was installed, a “valid-through” date, and a history of the sites where this card was used.

When you visit a website that accepts an Information Card, that site indicates what type of card it is willing to accept. The Windows CardSpace user experience shows you which cards in your collection meet the requirements of the site. Before you submit a card to a site, you can inspect it to see what personal information will be sent. You should also review the privacy statement of the site to understand how it uses your personal information.

Frequently asked questions

1. What are Information Cards?

An Information Card is a set of data about you that you can send to a website or online service. Like the cards in your wallet, cards that you send with Windows CardSpace present information about you. You can send these cards to sites to show who you are. After a site knows who you are, you can request specific services, make purchases, or access information from the site.

2. How do I get Information Cards?

You can get Information Cards in two ways, based on the type of card that you want. The two types of cards are:

  • Personal cards: You can create a personal card by clicking Add a card and then clicking Create a personal card. You can then enter data much as you would on a website form. The difference is that this data will be encrypted and stored on the card to be sent to websites and online services with a few fast clicks. To create a personal card, click Add a card when you view your card collection.

  • Managed cards: Installing a managed card requires a managed card file that is issued by a managed card provider. Managed card providers are usually businesses (credit card companies, for example) or organizations that host websites or offer services that you can use online. If you do not have a managed card file and you want to install a managed card, exit Windows CardSpace and contact the managed card provider. To install a managed card file, do one of the following:

    • Locate the managed card file in Windows Explorer, and then double-click the file icon.

    • View your cards in Windows CardSpace, click Add a card, and then click Install a managed card.

3. What does the site identity information tell me?

The site identity information shows what information about the site has been verified by a third party called a certification authority (CA). A CA is an organization that certifies and verifies identity information. The more information that the CA can verify, the more confident you can be that the site is genuine. Verifiable information can include the following:

  • Name: The published name of the site, for example, Contoso, Ltd.

  • Location: The geographical location of the business or organization, for example, Redmond, Washington.

  • Site: The domain name of the site, for example, www.contoso.com.

  • Logo: The logo of the site.

4. What should I review about the site information?

If you are considering sending a card to this site, make sure that the site's information seems appropriate to the site. The more information that matches your expectations for the site, the more confident you can be that the site is what it claims to be. The domain name of a business or organization often includes or resembles the name of the business or organization. If the name, location, and logo of a site are available, they should be appropriate to the site.

5. Do I need a different card for every site?

No. In the same way that you can use a credit card at many stores, you can use one card at many sites. Some cards—particularly certain managed cards—can be used only at a specific site. Each site sets its own requirements.

6. Can I add additional data fields to a personal card?

No. Personal cards can include only the listed data fields. Managed cards include only the data that is published by the managed card provider.

7. Which card should I send?

Only the cards that are highlighted in your Windows CardSpace card collection meet the requirements of the requesting site. Send a card that meets the requirements of the site and that includes the data that you want to send to this site. Like the cards in your wallet, different cards meet different needs. Some sites require a card that you provide yourself. This type of card is called a personal card. Personal cards provide basic identity information such as your name, e-mail address, and phone number. Other sites require a card from a business or organization, for example, a credit card or membership card. This type of card is called a managed card, and it is issued by a business or organization.

8. Why can’t I send this card?

You can send a card only if it meets all the requirements of a site. Conditions that might prevent a card from being sent include the following:

  • Wrong type: A site may require that either a managed card or a personal card must be used to provide data.

  • Wrong issuer: A site may require that a managed card must be issued by a specific issuer.

  • Missing personal card data: All required personal card data must be included on the card. You can add missing data to a personal card.

  • Missing managed card data: A managed card might meet all the other requirements of a site, but not offer the data that is required by the site.

9. Why should I lock my cards with a PIN?

If you do not protect your cards with a PIN, anyone with access to your Windows user account can use your cards. You should use a PIN to lock a card if you:

  • Share your Windows user account, but you want to limit who uses your card.

  • Have cards that contain sensitive information or are used for sensitive tasks (for example, for online banking).

10. Can I only use numbers in my PIN?

No. A PIN can include a combination of uppercase and lowercase letters, numbers, symbols, and spaces.

11. What information is on my card?

Information Cards can contain the following information:

  • Card data is the data that can be sent to a requesting site. Card data is the only information that is ever sent to a requesting site.

  • Card name is the name that is shown with the card.

  • Card picture is the picture that is shown with the card.

  • Card type indicates whether the card is a personal card or a managed card.

  • Card history shows a list of sites to which you have sent this card. The most recent date on which you sent the card is also shown.

  • Card ID is a unique card identifier.

  • Created on shows the date when the card was created. Only personal cards have this information.

  • Issued by shows the name of the managed card provider. Only managed cards have this information.

  • Issued on shows the date when a card was issued by a managed card provider. Only managed cards have this information.

  • Valid through shows the date after which the card is not valid. Only managed cards have this information.

To see information for a card, select the card, and then click Preview.

12. How do I get a managed card?

Installing a managed card requires a managed card file that is issued by a managed card provider. If you do not have a managed card file and you want to install a managed card, exit Windows CardSpace and contact the managed card provider. To install a managed card file, do one of the following:

  • Locate the managed card file in Windows Explorer, and then double-click the file icon.

  • View your cards in Windows CardSpace, click Add a card, and then click Install a managed card.

Before your managed card is installed, you will be asked to review information about the card provider so that you can be sure that you want to install a card from that provider. After you install the managed card, it will appear in your card collection and you can send it to sites.

13. What are the Windows CardSpace minimum requirements for a bank or major Internet business?

Sites that attain a high-assurance (HA) certificate meet the minimum Windows CardSpace requirements for a bank or major Internet business. As part of a Windows CardSpace card request, the site requesting your card can present a certificate verifying its identity. To combat identity theft, banks and major Internet businesses can sign their site with an HA certificate. A site with an HA certificate can have some or all of the following verified by a certification authority (CA):

  • Name

  • Location

  • Logo

14. Multiple users use the same computer. How do we separate our cards?

The best way to keep your cards separate is to create a unique Windows user account for each computer user. For more information about adding user accounts, see Help and Support. If multiple users want to separate their cards in a single Windows logon, they can change the names of the cards to distinguish between them.

To change the name of a card

  1. View all your cards.

  2. Select the card that you want to change.

  3. Click Preview.

  4. Click Edit.

  5. Change the card name underneath the picture of the card.

15. How do I back up my cards or transfer them to another computer?

Cards are stored on your computer in an encrypted format. To save a backup file containing some or all of your cards or to use a card on a different computer, you can save cards to a backup card file.

To back up your cards

  1. Start Windows CardSpace.

  2. View all your cards.

  3. In the pane on the right of your screen, click Back up cards.

  4. Select the cards that you want to back up.

  5. Browse to the folder where you want to save the backup card file, and then give it a name.

When you complete these steps, you save a file containing some or all of your cards. You can copy the backup card file to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You can restore the backup card file on this computer or on another computer.

To restore your cards

  1. Save the backup card file to the computer.

  2. Browse to the location of the file on the computer.

  3. Double-click the file, and then follow the instructions to restore the cards.

16. How do I switch between input languages?

You can switch between input languages in Windows CardSpace by using the standard Windows key sequence LEFT ALT + SHIFT. This combination switches between the input languages that are installed in Windows CardSpace. To install additional languages, see the language settings in Control Panel.

17. Are accessibility applications available in Windows CardSpace?

Yes. To enable accessibility applications for Windows CardSpace, view all your cards, and then click Preferences. For more information, click How do accessibility applications affect security?

18. What if I forget my PIN or password?

If you cannot unlock a card because you forgot your PIN or your password, you may have to delete the card and then create or install a new one. This may cause sites to which you sent the card in the past to not recognize you. If you cannot unlock a managed card because you forgot your PIN or your password and the file is not available, contact the managed card provider for a replacement card. If you forget the password that protects your backup card file, you cannot restore the cards that it contains.

19. Why does Windows CardSpace open repeatedly when I close it?

If Windows CardSpace opens every time that you close it, you may be trapped by a broken or malicious site. The site is causing Windows CardSpace to open every time that you close it. To exit Windows CardSpace, click Exit Windows CardSpace without returning to the site. Clicking this link will take you to your browser without returning to the site that is opening Windows CardSpace.

20. What happens when a managed card expires?

Some managed cards are issued with expiration dates. If you send a managed card after its expiration date, either the requesting site or the managed card provider may decline the card. For more information about an expired managed card and how to renew it, contact the managed card provider.

21. Can deleted cards be restored?

When cards are deleted, they are permanently removed from Windows CardSpace. All card data and card history are erased. The only way to restore deleted cards is to obtain a backup file of the cards that you created before you deleted any cards.

22. Why should I back up my cards?

You should back up cards to:

  • Transfer your cards to another computer—You can use a backup card file to transfer cards to another computer. After you restore the backup card file, you will be able to send these cards from either computer. Sites will be able to recognize you from either computer. If you store your cards on a USB drive or other media, you can take your cards with you wherever you go.

  • Recover them in case of accidental loss—You should back up to a file all the cards that you would want to restore in case of data loss or hard drive failure. Store the backup card file where it will not be lost in case of data loss or if the computer is damaged or stolen.

23. Does Microsoft see my data?

No. Your card data is stored on your computer or maintained by a managed card provider. Microsoft receives your card data only if you choose to send a card with that data to a Microsoft website or online service.

24. What information is stored about the sites that I visit?

When you send a card, Windows CardSpace stores the following information on your computer:

  • The information about the site to which you sent the card

  • The time and date when you sent the card

  • The type of data that was sent to the site—but not the data itself. “First name” can be stored, for example, but not the first name “John.”

If you decide not to send a card, no information is stored.

25. Why does Windows CardSpace remember the sites that I visit?

Each of your cards stores its own card site history and a record of the card data that you send to each of the sites. This enables Windows Card Space to alert you anytime that:

  • A new site requests a card.

  • The identity information or privacy statement of a site to which you sent a card has changed.

  • A site to which you sent a card requests new data.

Card site history is encrypted when it is stored on your computer. You can review it by viewing the site history in Windows CardSpace. Your card history information stays on your computer. It is not sent to a site requesting a card or to Microsoft.