And as mentioned above you do not need to have a token to get second-factor authentication a VeriSign provided free browser certificate can provide the same level of comfort.

Also one thing to keep in mind is our Browser Certificate feature. If a user does not have a physical token but wants the comfort of having their username/password backed by a second-factor (”something you know, something you have”) installation of a certificate that is bound to the browser can provide this.

So essentially you can store your credentials and have access into the PiP backed up by a browser certificate to provide a high-level of security.

Check that out and let me know what you think.

I also have to add some thoughts and ideas to the topic.
First I would like to point out that we are a German-based service doing essentially the same as our pals from VeriSign. We have been out in the beta phase since march, 08. We are currently working on the localization; no English frontend available at the moment, but is just around the corner (in case you want to try it out, just give us a couple of more days or let me walk you through the German interface).
I will stick to the enumerated numbers Gary used when replying so we all know what we’re talking about.

1.) Gary, if you store the encrypted data in your database, you still log on the user directly. Is this correct? So your system needs to know the pw/user combination. Having a malicious in-house attack on your database would still lead to the disclosure of all your users passwords. Correct? Or how could you possibly log a user in without having the passwords?
Do you encrypt your traffic to other sites you log in? If so, how do you handle sites that are not based on https/ssl (since there are numerous examples).

2. Eingelogged.de is fully capable of that. Just wait for the multi-language interface

3. We address the keylogger issue and are fully aware of the problem. Unfortunately I cannot present the solution at this very moment in public as it will be available very soon. We have to keep this under the radar for a couple of more days.

4. We directly log you in. No form-filling needed. I might want to point out that we use a 128bit ssl encryption for your traffic.

5. We also lack this feature. It’s on the roadmap.

6. Totally possible with eingelogged.de
And yes, we agree that this is one of the very strong features of the internet. This is in our view also one of the main drawbacks that OpenID and others have: Sometimes I just want to be somebody else cruisin’ the net and not myself.
Various identities for various jobs are just one of the big features of the internet: And we all have to admit we do this every once in a while.

additional features we offer:
-Log-in all (one-button-login for all services in certain profiles)
-profiles for your logins (to especially refer to Tinx’s point #6: We totally address this issue)
-You don’t have to carry anything with you; not even a USB device. Just an internet connection and a browser (this especially refers to #3; as of yet, you still have to wait for the availabilty of the solution some more days).

Looking forward to your feedback.

Thank you for post a comment on my post

Regarding your comment :

1. Thank you for clarifying this, I forgot the fact that you encrypt the login details in the first place I just realized this after I signed up to your PiP. That’s right! I’ve decided to give it a try
2. If you could also support multiple logins for the same site, that would be great
3. Well, Paypal token is not available for Australian users Is it possible to use a token from my local bank ? And if there’s a backdoor trojan in my computer, then the browser certificate is pretty much useless, right ?
But if I use Roboform Portable, no one can access my data unless they get my USB Token
4. That’s great. Another reason why I would use PiP
5. Thanks
6. It was related to #2. With Roboform I could manage several identities. Even thought there’s one 1 person (me), I could use 1 identity for real / useful sites, 1 identity for probably a scam / trash sites, etc.

In summary, it’s almost comparable to Roboform and it might be better when it’s out from Beta.
My suggestion is to provide all users with a physical token. I’m sure that more people will use PiP if this given for FREE or at very low price OR if you could make something like online fingerprint / retina reader to authenticate the user ?
Add more features, and PiP will be my selected password manager in the future !

With regards to your points:

1) That is simply not true. The information that is stored in our database is an encrypted blob that only you have the key for (which is what you create when you initially enable this feature in the PiP). There is no way for us to gain access to your personal credentials.

2) This is correct. Currently we only support a single set of credentials. Since this is an initial launch of the service we had to limit things and for now that is one of the limiting factors. In your situation both you and your wife would need separate accounts on the PiP.

3) One of the features of the PiP is that it offers two additional security features. One is a browser certificate which can be used as a second factor authentication mechanism and the other is binding say your Paypal token to the service. The combination allows for an additional level of security when accessing your account.

4) By “form filling” do you mean form filling of username and passwords? If yes than for sites requiring this we provide that facility and for other sites this is not required as we’ll directly log you in.

5) This is currently correct. It is a good suggestion.

6) Is this related to your point #2? Or is this related to multiple OpenID identities? If it is the latter than that is absolutely supported.

Clearly the functionality is not as complete as Roboform nor is it intended to be. This is meant as a handy feature to allow you the flexibility across multiple devices to safely store usernames/passwords.

Hope that helps.