Symantec / Verisign Personal Identity Portal Beta

Symantec recently acquired Verisign’s VIP authentication service. Verisign launched the service in 2009. Symantec’s offering folds the older VIP service into a new “Personal Identity Portal” promising one-click sign-in for all websites. This offering from Symantec has five basic features:

1. OpenID provider support.

2. One Click sign-on via a new cloud based password manager service.

3. Your own customizable PIP page.

4. Online File Vault to store your sensitive documents securely.

5. Several multi-factor authentication offerings.

Pip Account Protection

Setting up your PIP account involves going to PIP.verisignlabs.com, entering a username, password, and email address. Only the OpenID is created from the basic signup.

OpenID

Users login to PIP once and then access any configured OpenID compatible website without passwords while they remain logged into PIP. If every site supported OpenID, users would only use a password to login once per day.

As promising as OpenID sounds, it’s adoption rate has been slow. A site can only be a provider or consumer of OpenID credentials. Many large sites, such as PIP, Google and Yahoo have chosen to be providers rather than consumers. That means that if a user creates an OpenID on PIP, they can’t use OpenID to login to Google or Yahoo.

Some consumer sites like Facebook have chosen to implement it in strange ways. For Facebook, you need to go into your profile and link your OpenID with Facebook. Facebook then uses browser cookies to login a user when they go to the Facebook login page. Different browsers behave differently with their cookies resulting in people who can never get OpenID working with Facebook. Because of the many issues around OpenId, PIP added one-click sign-on.

One Click Sign-on

Symantec’s one-click sign-in is a free cloud based password manager service. Symantec is marketing this as a bridge for sites without OpenID support. It is a very basic password management service. An extra password is required to use and access one-click. This password is not stored anywhere. If you lose the password, Symantec will not be able to recover your one-click information. Some of it’s limitations are:

1. It only stores username, password and one large notes field per site. Many other password managers allow complex databases to store much more about sites than just password data.

2. It only allows one credential per site, and You cannot add a site more than once. For users who have multiple accounts at a site, this will limit functionality.

Your own Customizable PIP Page

The page used for OpenID is also available for anyone to see. This doesn’t mean anyone can see your usernames and passwords. Symantec let’s you add links to your websites and social networks so others can find you from this page. Symantec states that the page will be indexed by popular search engines, so if you have a struggling website, a link from verisignlabs.com may or may not help your search engine ranking.

Online File Vault

Symantec is including a free secure file vault for your sensitive documents. The offering allows user 2 gigibytes of space. The only limitation on the vault is you must configure your pip account for a Verisign VIP credential in order to use it, which is a very good thing to do.

VIP Credentials

VIP Credentials enable multi-factor authentication. This is the most secure way to login. If an attacker gains access to your VIP account username and password (for example, through a successful phishing attack), they still will not be able to login without the device. Symantec offers three varieties of multi-factor authentication: Browser Certificates, Phone Apps, and keychain token / FOB. A fourth option for Ironkey USB devices is not promoted on the PIP site, but is promoted by IronKey.

1. Browser Certificates - According to Symantec, A browser certificate is a unique digital ID that VeriSign installs in your browser or user certificate store. PIP uses Browser Certificates to limit access to your account to only the computers and browsers you authorize. This greatly reduces risk for a compromised account. Browser certificates are free and require no special hardware on your machine. They are only supported on Firefox, Internet Explorer, and Safari. These are not as secure as a hardware token, since anyone who gains physical access to your computer and browser may still impersonate you.

2. Phone Apps – Phone apps are a form of multi-factor authentication that runs on your phone or PDA. VIP supports Android, BlackBerry, Iphone, iPad, iPod Touch, Windows Mobile, and Other phones. According to Symantec, “VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson”

   We tested this using a plain old Verizon BREW-enabled clamshell phone. To find the software, we had to use the phones browser and go to m.verisign.com. It then instructed us to use the phone’s search for software feature to search for “VIP Access”. We found the application, and were able to download and install it with just a few button presses on the phone. We then added VIP Access application to a shortcut key. The application works great. Running it displays the number just as the tokens do.

   

3. The process for using a keychain token / FOB is identical to the phone, except instead of a phone you order a little device with a small LED display. Hardware Tokens range from $30.00 for a keychain FOB to 48.00 for wallet card.

   

   The process for using an Ironkey requires plugging the device into the computer, logging into the ironkey, then running the VIP application on the ironkey. The device must be registered the same as any other device.