Two Friday's ago, I announced ZDNet's Deputy Tester of the Week program. The following Monday, in search of our first deputy testers, I offered three free copies of PPTMinimizer 3.0 to the members of ZDNet's audience who needed a utility like that for compressing PowerPoint files into more manageable sizes (for whatever reasons). There were over 175 responses to that giveaway (not including some of my own replies to some questions that were asked). This past Friday, I identified three 'entries', the authors of which are each entitled to one copy of PPTMinimzer 3.0. If you are one of the ZDNet audience members that authored those TalkBacks, all you have to do now is let me know via e-mail. Read this for more details.
This week, I'm looking to deputize two of ZDNet's audience members into reviewing the IDVault from GuardID Systems. The street price for IDVault is about $50. As with the three copies of PPTMinimizer, the tech is yours to keep once I send it to you. After first spotting IDVault at a trade show in NYC, I asked company officials if they'd be willing to participate in our Deputy Tester of the Week program and they agreed. Then, I asked them to make their best pitch as to why ZDNet's audience members should take notice. Here's how Greg Marek, the company's vice president of marketing responded:
ID Vault protects you from online identity theft and online fraud when you bank, shop and invest online. ID Vault looks like a USB flash drive, but it’s actually a key that locks access to your online accounts. With ID Vault, you’re protected from phishing, pharming, keystroke logging, Trojan Horses, and other sophisticated online fraud schemes.
Anti-virus and security software may protect your PC, but they don’t protect you when you are most vulnerable—when you conduct financial transactions online. ID Vault constantly monitors more than 7,000 financial Web sites to ensure that you’re logging in to a legitimate site, and not a fraudulent copy designed to steal your identity—and your money. Plus, ID Vault encrypts and stores your usernames and passwords in hardware, where cyber criminals can’t access them. ID Vault logs you into your favorite accounts automatically, without typing. This protects you from keystroke loggers and screen capture malware, as you don’t type in your account credentials for criminals to steal. ID Vault is convenient, too. No more forgotten passwords or scraps of paper with passwords written on them.
GuardID's Web site goes on to describe IDVault as a form of two-factor security. While Marek's pitch seems pretty straightforward, describing IDVault as a form of two-factor security may be a bit of a stretch. In computer security land, experts often discuss three factors of security: what you know, what you have, and who you are. Most Web sites are based on a single factor of security; the what you know part (user ID and password). ATM machines are based on two factors of security; what you know (your PIN) and what you have (your ATM card, otherwise known as a "security token"). The third factor -- the who you are part -- is usually based on some form of biometrics like fingerprint or iris recognition.
For your online accounts to truly be protected by multi-factor security (two or more factors), the providers of those online accounts have to require those multiple factors. In the case of IDVault, it's really more like client-side multi-factor security. If for example, someone somehow manages to get the user ID and password to your online bank account, IDVault's "two-factor security" scheme can't stop them from logging in the way the bank could if it required two or more factors of security (which most US banks don't require... see why). Even so though, IDVault is probably like 1.5 factors of security. That's because of how, when you visit some Web site that requires an ID and password, it will automatically enter your credentials for you. This way, if a keystroke logger was surreptitiously loaded onto your machine, it can't capture the keystrokes that you might normally use to log into your bank account.
In terms of that auto login promise, IDVault reminds me very much of what Trusted Platform Modules were supposed to give us. Unfortunately, TPMs aren't available in every machine. Lenovo's Thinkpads have them as do some Dells (so I've heard). But they're hardly universal. It's a shame because TPMs include an API whereby Web sites (especially finanically-oriented ones like eBay) could interact with them as though they were a universal ATM card (in other words, a single security token that can serve as the what you have factor-of-security for multiple Web sites at the same time). Not only does the Lenovo Thinkpad X60 tablet I'm testing right now have a TPM, it has a fingerprint reader that unlocks its secrets as well. Logging into the X60 requires my thumb. No thumb, no access to the X60. No access to the X60, no access to the Web sites that its TPM will automatically log you into.
In some ways, IDVault is actually more flexibile than a TPM. Like a TPM, it stores the IDs and passwords to the Web sites you frequent. But whereas a TPM is usually soldered to the motherboard of your computer (actually turning your entire computer into the what you have factor of security), IDVault is portable. You can move it from one computer to another since it is USB-based. In other words, you can theoretically take your IDVault with you and use it on other PCs (something I'd love for our Deputy Tester of the Week to try out).
Whereas my thumbprint is required to gain access to the secrets in my Thinkpad's TPM, only a PIN code is required to unlock the secrets stored (and encrypted) in an IDVault. A cool next step for GuardID Systems would be to put a fingerprint reader right on the USB-key, thereby requiring the who you are factor of security to gain access to its encrypted secrets.
One other small caveat to the IDVault; it only works with Windows (according to the Web site, Windows Vista is supported).
To participate in ZDNet's Deputy Tester of the Week program, there are some rules and regulations that you should read (to keep our lawyers happy). Then, using the ZDNet TalkBack facility on this blog entry, make your best pitch as to why I should send one of the two IDVaults I have here in my office to you.
Keep in mind we’re looking for people who are can tell us why they’re the most qualified to test the product in their real world environments. And then, once you receive the product, I’d love to hear back from you regarding your findings. Even if I don’t, you get to keep the product. Finally, if you are "applying" to join ZDNet's posse of deputy testers, be sure to check back on Friday to see whether you've been accepted into the program, or not. So, good luck and let the TalkBacks begin!