Today’s simple username/password system is a single-factor authentication mechanism—your credentials are the only information necessary. When an evildoer has that information, whether it was stolen with a keylogger or a “phishing” email, you’re screwed.
Two-factor authentication schemes are much more secure. They require you to know something and to have something before your account information is unlocked.
GuardID tries to create a two-factor authentication scheme with its clever ID Vault USB key, err, “password lock-box.” You program the key with a master PIN, and then browse to, say, your bank’s website. Once there, ID Vault safely encrypts and stores your user name and password on a smart chip in the key. You will then need the key to be in your PC when you want to access that website. Furthermore, anytime you visit a website that requires a username and password, the ID Vault software will ask if you want to add that info to the vault.
With the account information safely on the key, you never have to type your password or username again—just your master PIN, via an onscreen keyboard, which is resistant to keylogging.
The ID Vault compares financial website IP addresses with its own database of known addresses and alerts you to a possible phishing attempt if the address is incorrect. This should protect you if your PC’s hostfile or even if your ISP’s DNS cache has been poisoned to redirect you from Wells Fargo to a server in Paraguay.
We found the ID Vault to be a great concept but somewhat lacking in execution. First, the key relies on Microsoft’s .Net runtimes, so it’s not particularly portable. Firefox users are also out of luck, for now at least. And even worse, if you’re at a public Internet terminal or a friend’s house, you can’t use the key without installing software.
That effectively neutralizes the key for people who lack security discipline. For paranoids who would never use an unclean computer for sensitive work, the lack of portability isn’t an issue. But still, why not store the software you need on the key itself; and couldn’t it be a little smaller?
Despite these limitations, we see potential here. If the company can figure out a guest mode that doesn’t require software installation, it could be a kick-ass device. Right now, it’s suited primarily for the hyper-vigilant.