Pros & Cons
-
- Stores and retrieves passwords using two-factor authentication.
- Special handling for 7,000+ financial institutions.
- Protects against phishing, pharming, and keylogging.
- Automatically captures log-in data for nonfinancial sites.
-
- Limited to 40 passwords.
- Problems with American Express.
- Some bugs and user interface problems.
- No option to organize favorites.
- No help, just a PDF manual.
When you go to withdraw cash from an ATM, you need two forms of authentication—the ATM card (something you have) and your PIN (something you know). GuardID's ID Vault applies this same sort of two-factor authentication to your online financial transactions. You have the ID Vault itself (a smart-card USB device), and you know its PIN. The device will store log-in data for up to 40 sites, with special protection for over 7,000 known financial sites.
Next you register Web sites and credentials for your various financial institutions. You can select "Create Financial Secure Favorite" from the Start menu, from the program's tray menu, or from the Favorites menu in Internet Explorer. Before registering some sites, you must successfully log in at least once using Internet Explorer—Firefox support for ID Vault is still in beta. You enter your username in the usual fashion, and you can also enter a personalized name for the favorite, such as "AmEx Platinum" rather than the default "American Express." Just in case a keylogger is present, you don't type the password. Rather, you click its characters using an on-screen keyboard. When finished, you validate the new favorite by entering your ID Vault PIN either from the keyboard or from an on-screen keypad.
The database does more than just identify known financial sites. It also lets ID Vault navigate the multipage log-in systems that some sites use for added security. If your particular bank, credit union, or brokerage isn't listed, you can recommend it for inclusion in the database. And if you start to log in manually to a financial site that ID Vault recognizes, it will offer to record a Financial Secure Favorite.
ID Vault will also store credentials for sites not in its database. It notices when you submit your username and password and offers to save those credentials as a secure favorite, much as
ID Vault's software protection functions even when it isn't plugged in; it will prompt you to insert the device when needed. And you can freely download and install the software on any Microsoft Windows XP or Vista system, so you can log in securely from any computer where your privilege level allows software installation. There's an option to back up your log-in data to either a paper copy (store it in a safe place!) or to a second ID Vault. GuardID recommends the latter, likening it to keeping a spare house key.
To visit one of your secure sites, just select the corresponding favorite from the ID Vault tray menu or from Internet Explorer's Favorites menu. Naturally, you must supply your PIN to log in. You can set ID Vault to require the PIN for every transaction or to cache it from 1 to 120 minutes (RoboForm's Master Password feature offers a similar option). A Financial Secure Favorite will launch in ID Vault's own secure browser, which is based on Internet Explorer but doesn't allow add-ins of any kind. Non-financial favorites don't get the special browser treatment, but ID Vault masks the browser window during the log-in process.
One nice feature is that if you enter a password that's associated with a Secure Financial site into some other site, ID Vault will warn of possible fraud. So, for example, if a phishing scam tricks you into entering your PayPal password at a different URL that only looks like PayPal, you'll get a warning. If a more serious
But Does It Work?
I installed the ID Vault software on my main workhorse system, initialized the device, and started recording financial Web sites. It had no trouble registering my daily-use credit card. It also managed the multipage log-in for my checking account, something that Robo-Form couldn't do. When I manually started logging in to www.paypal.com, ID Vault noticed and offered to record it as a Financial Secure Favorite. My gas-station credit card didn't qualify—only banks, credit unions, and brokerages are in the financial data-base. But ID Vault had no trouble recording the gas-station card as an ordinary secure favorite.
I hit a snag, though, when I tried to save log-in credentials for an American Express card. ID Vault popped up a big red "DANGER" warning stating that the address for the site did not match the address in their database. In other words, it suspected a phishing or pharming attack . . . even though the address came from its own database. A GuardID representative explained that American Express has an unusual habit of changing the IP addresses of its Web sites on a weekly basis. He said the weekly updates to ID Vault's database are mostly driven by AmEx and recommended that I keep trying—but I never did get it to work. It seems that you can't rely on ID Vault to manage log-in data for American Express in particular, since on any given day it might be rejected.
ID Vault captured the log-in data for a number of other non-financial sites without any trouble. In some cases, I realized that my account information was outdated. Rather than record the old data, I clicked "Not Now" when ID Vault offered to save a favorite. I logged in, updated the account data, and logged out. But when I logged in again, ID Vault did not offer to save anything, not even if I exited and restarted the browser. My GuardID contact confirmed that this is a bug—sometimes a "Not Now" response is treated the same as "Never." He recommended that I clear the list of "Never Ask Sites" and try again. That fixed it. It's a little confusing, though, and not particularly user-friendly. Even when that list is empty, the configuration dialog says it's not. And there's no way to view the contents of the list. This part of ID Vault clearly needs tweaking if the company wants to appeal to mom-and-pop type customers.
I tried logging in to my router via its IP address, since RoboForm can capture and automate this type of secure log-in. But ID Vault doesn't capture or fill authentication information for Windows secure log-in dialogs—only for browser windows. Certainly, the average user will have many more Web-based log-ins than hardware-based ones.
A couple of times I recorded log-in information and realized only afterward that the account was associated with an antique e-mail address. When I changed the account at the Web site and then went to change the stored information in the ID Vault, I found that ID Vault wouldn't allow it. You can change the username and password for Financial Secure Favorites, but for regular items, you have to record the log-in process again. Once I got more than a dozen favorites in the alphabetic list, I began to wish for the ability to organize them into folders, à la RoboForm. I can imagine that scanning through the maximum of 40 entries all in one long list could be awkward.
ID Vault's strength lies in managing and protecting your connections with financial Web sites. These sites are the most common targets for phishing and pharming attacks, and ID Vault protects against those admirably. It even opens financial sites in its own secure browser. It's less effective as a general Web-site password manager, but protecting your brokerage account is a lot more important than protecting your webmail.
More Security Suites:
Final Thoughts
ID Vault
ID Vault stores and retrieves your financial site passwords on a secure smart-card USB device. It protects against phishing, pharming, and keylogging, and opens your financial transactions in a secure browser. It's less effective as a manager of non-financial Web-site passwords, but that's not its focus.