Verisign just re-launched their Beta Personal Identity Portal [via TechCrunch], but I don’t think I’ll ever sign up for that.
Why? Here’s my 6 reasons:
- It will store your login details in their web server, which I sure hope it will never get hacked.
- From what I know, it can only store one login detail for one website (please correct me if I’m wrong). So this won’t work for me. Because if you’re like me, you will have several gmail accounts :). At least 1 for me and 1 for my wife.
- The most important thing is, if you have spyware / keylogger on your computer, and you have OpenID account, that means your attacker can just use one ID to access various websites. Imagine that!
- There’s no form filling facility.
- No password generator.
- No multiple identities capability.
Now, all of the above is currently supported by Roboform, and for those who need to use their login details on another computer, can simply get a Roboform Portable version.
Another thing that I like about Roboform, is that I could customize my Roboform search box as well.
But on the other hand, the only thing that will force me to use Verisign PIP or something similar is when I need to use my smart mobile phone for browsing more often. Because there’s no version of Roboform that could be used on mobile device at the moment.
So that’s it. My 6 minus 1 reasons why I won’t use Verisign PIP 
What about you?
Related posts:
- Roboform Search Cards similar with Google Global with Suggest feature On I was trying to find Google Suggestion for sites from...
August 22nd, 2008 at 5:26 am
Hi: As the technical director for the PiP/SeatBelt project here at VeriSign I had to respond.
With regards to your points:
1) That is simply not true. The information that is stored in our database is an encrypted blob that only you have the key for (which is what you create when you initially enable this feature in the PiP). There is no way for us to gain access to your personal credentials.
2) This is correct. Currently we only support a single set of credentials. Since this is an initial launch of the service we had to limit things and for now that is one of the limiting factors. In your situation both you and your wife would need separate accounts on the PiP.
3) One of the features of the PiP is that it offers two additional security features. One is a browser certificate which can be used as a second factor authentication mechanism and the other is binding say your Paypal token to the service. The combination allows for an additional level of security when accessing your account.
4) By “form filling” do you mean form filling of username and passwords? If yes than for sites requiring this we provide that facility and for other sites this is not required as we’ll directly log you in.
5) This is currently correct. It is a good suggestion.
6) Is this related to your point #2? Or is this related to multiple OpenID identities? If it is the latter than that is absolutely supported.
Clearly the functionality is not as complete as Roboform nor is it intended to be. This is meant as a handy feature to allow you the flexibility across multiple devices to safely store usernames/passwords.
Hope that helps.
August 22nd, 2008 at 2:51 pm
Hi Gary,
Thank you for post a comment on my post
Regarding your comment :
1. Thank you for clarifying this, I forgot the fact that you encrypt the login details in the first place
I just realized this after I signed up to your PiP. That’s right! I’ve decided to give it a try 
Is it possible to use a token from my local bank ? And if there’s a backdoor trojan in my computer, then the browser certificate is pretty much useless, right ?
2. If you could also support multiple logins for the same site, that would be great
3. Well, Paypal token is not available for Australian users
But if I use Roboform Portable, no one can access my data unless they get my USB Token
4. That’s great. Another reason why I would use PiP
5. Thanks
6. It was related to #2. With Roboform I could manage several identities. Even thought there’s one 1 person (me), I could use 1 identity for real / useful sites, 1 identity for probably a scam / trash sites, etc.
In summary, it’s almost comparable to Roboform and it might be better when it’s out from Beta.
OR if you could make something like online fingerprint / retina reader to authenticate the user ? 
My suggestion is to provide all users with a physical token. I’m sure that more people will use PiP if this given for FREE or at very low price
Add more features, and PiP will be my selected password manager in the future !
August 25th, 2008 at 8:53 pm
Hi Tinx, hi Gary,
I also have to add some thoughts and ideas to the topic.
First I would like to point out that we are a German-based service doing essentially the same as our pals from VeriSign. We have been out in the beta phase since march, 08. We are currently working on the localization; no English frontend available at the moment, but is just around the corner (in case you want to try it out, just give us a couple of more days or let me walk you through the German interface).
I will stick to the enumerated numbers Gary used when replying so we all know what we’re talking about.
1.) Gary, if you store the encrypted data in your database, you still log on the user directly. Is this correct? So your system needs to know the pw/user combination. Having a malicious in-house attack on your database would still lead to the disclosure of all your users passwords. Correct? Or how could you possibly log a user in without having the passwords?
Do you encrypt your traffic to other sites you log in? If so, how do you handle sites that are not based on https/ssl (since there are numerous examples).
2. Eingelogged.de is fully capable of that. Just wait for the multi-language interface
3. We address the keylogger issue and are fully aware of the problem. Unfortunately I cannot present the solution at this very moment in public as it will be available very soon. We have to keep this under the radar for a couple of more days.
4. We directly log you in. No form-filling needed. I might want to point out that we use a 128bit ssl encryption for your traffic.
5. We also lack this feature. It’s on the roadmap.
6. Totally possible with eingelogged.de
And yes, we agree that this is one of the very strong features of the internet. This is in our view also one of the main drawbacks that OpenID and others have: Sometimes I just want to be somebody else cruisin’ the net and not myself.
Various identities for various jobs are just one of the big features of the internet: And we all have to admit we do this every once in a while.
additional features we offer:
-Log-in all (one-button-login for all services in certain profiles)
-profiles for your logins (to especially refer to Tinx’s point #6: We totally address this issue)
-You don’t have to carry anything with you; not even a USB device. Just an internet connection and a browser (this especially refers to #3; as of yet, you still have to wait for the availabilty of the solution some more days).
Looking forward to your feedback.
August 26th, 2008 at 2:10 am
Thanks a lot “Tinx” for your comments. With regards to providing users with tokens (you may email me under a separate cover…:-)) but in general the cost of a Paypal token makes it very advantageous to users: https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside
Also one thing to keep in mind is our Browser Certificate feature. If a user does not have a physical token but wants the comfort of having their username/password backed by a second-factor (”something you know, something you have”) installation of a certificate that is bound to the browser can provide this.
So essentially you can store your credentials and have access into the PiP backed up by a browser certificate to provide a high-level of security.
Check that out and let me know what you think.
August 26th, 2008 at 2:14 am
Sven: We *do not* know the credential information of our users. I’m not going to go into the details as to “how” we do this but the scenario you presented is not possible with our system.
And as mentioned above you do not need to have a token to get second-factor authentication a VeriSign provided free browser certificate can provide the same level of comfort.
August 26th, 2008 at 11:35 am
I am honestly didn’t know that Paypal token is available for Australian users as well.
It’s only AUD 7.50
I might going to order one