Phil Hunt of Oracle makes a very good point about OpenID, Information Cards, and Passwords:
It all sounds wonderful. But Kim skips over the problem of how did he get that card? How was he originally authenticated when the card was issued?
Is the information card periodically refreshed or re-authenticated? If it lasts forever, what happens if the information is lost or copied? What happens if someone else is using his workstation? What happens when the Kim switches workstations? For example, Kim decides to check his CNNPolitics profile from a friend’s house? He’ll likely have obtain a new card. I suspect that will involve some form of authentication with his managed card provider. It is clear, while InfoCards may reduce the need for authentication and passwords it does not eliminate them.
Like Phil, I am also a big fan of Information Cards. OpenID, not so much. I would like to see something reduce the reliance on passwords regardless which technology ultimately gets adopted. But currently I don’t see either technology reducing the use of passwords for authentication for anything other than throw away use, like authentication to leave a comment on a blog.
The way provider support the entire life-cycle of the identity seems to always involve passwords at some point, regardless of support for OpenID, Information Cards, or even for that matter, SAML.