Wednesday, January 2, 2008

Opinion - IDVault

Do you bank, invest, purchase or enter a username and password combination while online? If you're like most people, you do. Did you know your accounts and perhaps your identity could be compromised? If you're like most people, you do, but the convenience factor usually overrides your wariness and you accept the risks.

Well, I'm not so accepting. So to that end I looked around for a way to secure all those usernames and passwords, plus provide a secure method to exchange them with the target site. There are a number of choices out on the market, but each had some aspect that did not matchup with the general need for this type of protection.

Enter IDVault.

IDVault 2008 was announced on September 18, 2007. As more and more transactions are processed online, it becomes more and more advantageous for thrieves to target these transactions.
Hopeful that a device and software combination would mitigate this risk, I selected Guard ID Systems IDVault to test.

The retail price varies just a bit, but can be obtain for between $40 and $50. A second IDVault can be purchase for around $30 by the original owner. These prices were available via Guard ID Systems website at the time of this writing.

The one tested was purchased directly from Guard ID and the box contained the USB drive, USB extension cable, software CD and the various paperwork. The first thing that was noticeable was that the USB drive looked like a rubberized padlock. It has a yellow button to retract the drive connector into the body of the "lock". Overall "feel" is that of an inexpensive thumb drive. The environment is a closed loop. IDVault presents a trimmed down version of a browser for the actual Internet operations. It does notice when you attempt to browse to one of the sites that is part of their list and will ask if you want to use IDVault to login. If you respond with yes, the page you are viewing is stopped and the IDVault browser appears along with the dialog boxes. Similarly, if you browse to a previously repistered site, you are asked if you wish to use IDVault and the operations proceed using their trimmed down browser.

Overall, IDVault performs on an average level. It does what they say in the ads, with only a few hiccups.
There are a number of features that slide over to the "CON" column, these are:

  • Multi-browser support is lacking (only uses your default browser, either IE or Firefox);
  • no direct editing capability for correcting URLs, usernames and other account attributes;
  • did not work with several sites tested. They were Comcast, Qwest and BestBuy. Some of these were manually added while others were part of their list of sites.

The perfect implementation would allow use with other applications, such as Quicken and the like, in addition to browsers. IDVault does not accomodate these other applications.

Opinion: For a majority of the web browsing consumers, IDVault will work adequately. For my use, it does not make the grade. For those who need a more flexible option, shop around.

BTW, Steve Gibson of Security Now podcast fame will be performing an in depth review of IronKey, yet another secure option. Refer to Security Now #126 (AKA Listener Feedback #32) where he mentions the upcoming review.

Update 2008-03-13: Security Now #135 covers the product from IronKey

Alternative that I use:
Presently using the Open Source KeePass Password Safe to maintain usernames and passwords for all accounts. These accounts include those access via browsers as well as particular applications. The configuration in my situation is two USB thumb drives. One drive contains the database password (long computer generated string) and the other drive contains the database. To access the database both drives must be mounted. Both usernames and passwords are available via a paste option so keystroke loggers won't see the entries. In addition, all information is editable and easily accessed.

Side Note: In the same Security Now episode mentioned above, Steve mentions the security risks involved with the use of Opera Mini, which is their free option for mobile browsing. Bottom line, if you are concerned about security, DO NOT USE OPERA MINI !

Hopefully, in 2008, some type of general purpose online ID protection will be made available. If you are using another device to personal online ID protection, please let me know.

Other related links:
Coolest Gadgets - IDVault Review IDVault page