When a Managed Card is used, the user must authenticate to the identity provider (IP), in order to get a token. The choices of authentication type are username/password, Kerberos, X509 certificate or a Self-Issued card. Each authentication type offers its own advantages and disadvantages. · Usernames and passwords are easy to deploy, and users are familiar with them, but because they employ shared secrets they are also subject to social engineering attacks. · Kerberos is great if your users are at work and using a card to access a federation partner’s site or web service, or accessing internal services that run on other platforms and usually can’t leverage their Windows identity. Since the user doesn’t need to enter extra credential info when they use the card, it requires little user interaction. The downside of Kerberos is that it doesn’t work well for many usage scenarios, such as when the user isn’t at work. · X509 certificate backed cards can offer strong security, so are a good choice in high value scenarios. However the scenario needs to be of high enough value to justify the distributing and managing soft certificates or smart cards. · Self-issued backed cards offer a streamlined experience since using them doesn’t require extra user interaction (though the user can choose to PIN protect their self-issued card). Of course, the self-issued card is stored on the machines it is used on, so it is probably not a good idea to use self-issued cards on a less trustworthy machine. Read More...