Typically users login with username and password to a web site. Both the username and password are required to authenticate. A site that supports information cards is really stating that it supports authentication against a set of claims. As I have mentioned, those claims might be a username, email address, birth date, or some other information. But anyone can discover this information and create a card with the same data—so before we can authenticate these claims, we need to know that the claims came from a trusted source. If it were a managed card, the token would be signed with the trusted identity provider’s private key. In the case of self-issued tokens, we need to look at alternate ways to establish trust.

One approach is to have the card associated with the user account. That implies that the user must log in with her username and password prior to selecting a card to send to the site for the first time. Once logged in, the user can select a card, which sends the security token to the site. If the claims posted with the card include the user’s email address, this can be compared to the logged in user to verify the card matches the user. In addition, the personal private identifier of the card can be stored and used to associate that specific card with the user’s account:

MembershipUser user = Membership.GetUser
  (this.User.Identity.Name);
if (user.Email == emailClaim)
{
  user.Comment = ppidClaim;
  Membership.UpdateUser(user);
}

The PPID ...