Tuesday, May 15, 2007

Snakeoil or Legitimate Product?

A friend forwarded me a link for the "ID Vault" asking whether it is bogus or not. After reading through the site I honestly can't tell whether this device is well intending or a complete waste of time.

The ID-Vault is a USB token with secure storage for passwords on it. For only $30 you get a token that can store 30 usernames and passwords and automate your logins to major financial sites with a single click and you entering your self-selected PIN. Quite pricey for the ability to store 40 usernames and passwords, but so far so good right?

As I look closer at the site though I start to get a little more disturbed. They keep talking about smartcards and such and they may actually use something like gemplus uses on their cards. But I'm not sure I see the point. All over the Guardid site I see all sorts of claims about this token being two-factor authentication, about how it will prevent identity theft, and how its tremendously secure as compared to typing in your password. All this is, is a token that auto-populates a web-browser with your username and password...

Several facts are clear:
  • The card isn't really a smartcard. It doesn't appear to do crypto operations itself, and even if it does the data it is passing back and forth are usernames and passwords.
  • The card purports to be more secure than typing in your username and password, but the threats it protects against (namely - malware) can read any of its data also. So, at best its a band-aid and as soon as it becomes popular the malware writers will target it just like the do other applications.
  • There aren't any documents about how they protect against brute forcing the PIN.
  • This token costs a lot for probably not a large increase, if any, in security.
Now, if folks like Citibank and others started actually issuing certificates you could store on your smartcard and authentication doing actual smartcard type things such as challenge-response, maybe this sort of things would catch on. There are already a large number of people in that field though and I don't think the Verisign, RSA, and Alladin folks are sweating Guardid much.

If I had $30 to spare I suppose I'd buy one of these silly things and do a real evaluation but it just doesn't feel worth it.

1 comment:

Anonymous said...

great post. these clow^H^H^H^H guys are on the radio all the time with commercials.