The ID-Vault is a USB token with secure storage for passwords on it. For only $30 you get a token that can store 30 usernames and passwords and automate your logins to major financial sites with a single click and you entering your self-selected PIN. Quite pricey for the ability to store 40 usernames and passwords, but so far so good right?
As I look closer at the site though I start to get a little more disturbed. They keep talking about smartcards and such and they may actually use something like gemplus uses on their cards. But I'm not sure I see the point. All over the Guardid site I see all sorts of claims about this token being two-factor authentication, about how it will prevent identity theft, and how its tremendously secure as compared to typing in your password. All this is, is a token that auto-populates a web-browser with your username and password...
Several facts are clear:
- The card isn't really a smartcard. It doesn't appear to do crypto operations itself, and even if it does the data it is passing back and forth are usernames and passwords.
- The card purports to be more secure than typing in your username and password, but the threats it protects against (namely - malware) can read any of its data also. So, at best its a band-aid and as soon as it becomes popular the malware writers will target it just like the do other applications.
- There aren't any documents about how they protect against brute forcing the PIN.
- This token costs a lot for probably not a large increase, if any, in security.
If I had $30 to spare I suppose I'd buy one of these silly things and do a real evaluation but it just doesn't feel worth it.
1 comment:
great post. these clow^H^H^H^H guys are on the radio all the time with commercials.
Post a Comment