The Safer, Faster Surfing With OpenDNS post sparked discussion about phishing as well as other techniques utilized for the purposes of identity theft. Therefore, I thought I might post about a new, free OpenID service offered by VeriSign Labs that can be combined with a special Identity Protection Keychain Token or SanDisk Cruzer U3 flash drive in order to achieve two-factor authentication when logging into OpenID enabled websites.

What is PIP?

Personal Identity Provider allows you to manage your personal information online by providing a single sign on to multiple websites. PIP also provides the flexibility to share only the information you choose with each website. When you create a PIP account, you will receive a personal identifier in the form of a URL that you can use to sign in or register at any site that supports OpenID.

Manage your online identities with PIP

Use PIP to protect your information and share it with sites you trust. You can set PIP to track what sites you have shared your information with and for how long. You can choose to stop sharing information with a site you no longer trust. I use my VeriSign PIP identity with Plaxo to maintain continuous contacts and calendar synchronization across my personal Google Gmail, Yahoo! and Windows LiveMail accounts.

How to use PIP

Click the OpenID button to the right to sign up for and create a PIP Account. You will receive a personal URL that you can use on sites that show the OpenID logo. From the same browser you used to sign into PIP, visit one of the many sites that support OpenID and type or paste your URL into the Sign in area. Using your PIP URL makes it easy to register for a new account, or sign in to your existing accounts. If the site you are registering for requests information, you can choose which information you would like to share or keep private.

Integrate VerSign’s PIP into Firefox with The SeatBelt Extension

SeatBelt is a Firefox plug-in that assists you when signing in to OpenID sites with your PIP URL. Typically, if you are not signed into your PIP account when you access a sign in page using OpenID, you need to access your PIP account and sign in. Since you must do this within the same browser window, you have to navigate away from the page you wish to sign in to. SeatBelt detects that you have clicked on an OpenID sign in field while not signed into your PIP account and prompts you to sign in. Once you have signed in, SeatBelt automatically returns you to the OpenID sign in page with your PIP URL filled in. The sign in session continues as normal.
NOTE: I have discovered issues between the Seatbelt Extension and scripts on certain websites, this WordPress blog being a prime example. I have reported the issue to VerSign and recommend waiting on installing this extension until it is out of beta.

Adding two-factor authentication to OpenID

A VIP keychain token is an online security credential that you can use to identify yourself securely to participating online banks and merchant sites. A VIP credential protects your accounts and your identity by requiring a higher level of security when you conduct transactions online. To use a VIP credential, press the button on the keychain token to generate a security code that is unique to your credential. Then, sign in to participating online bank and merchant sites with your username, password, and the unique security code.

To obtain a VeriSign Identity Protection Keychain Token after obtaining your PIP credentials, click HERE. The token is currently $30 US plus a $6 S&H fee.

An alternative to the $36 VeriSign token is the $5 PayPal Security Key. This key can function with both your PayPal and eBay accounts as well as your VeriSign Personal Identity Provider ID. This is the device I use and recommend for anyone interested in adding two-factor authentication to their security practices..

A third option is to use a U3 flash drive. VeriSign has teamed up with SanDisk to enable your SanDisk U3 smart drive to work as an online security credential. You can use the VIP credential embedded on your SanDisk U3 smart drive to identify yourself securely to participating online bank and merchant sites. See the ‘VeriSign Identity Protection for SanDisk U3 Smart Drives’ page for complete information and usage instructions.

UPDATE: I have been playing catch-up with my podcast listening of late due to a more hectic than normal schedule. I just finished listening to Steve Gibson’s Security Now Podcast #107 where he reviews Verisign Labs’ Personal Identity Provider in detail. Please download and listen to his podcast as a supplement to this post. Also, the Solo Technology blog posted two articles relating their personal experiences with both OpenID and the security tokens. These articles are HERE and HERE.

I was made aware of an excellent on-line service for testing the effectiveness of your firewall courtesy of Steve Gibson’s very informative Security Now! podcast (Episode 105). The name of the site is Firewall Leak Tester. The site’s developers describe the service thusly:

“This website, on one hand, enables you to test your software personal firewall thanks to different test programs (‘leaktests’), and on the other hand, shows a global vulnerabilities view of the most common personal firewalls in a summary page. Firewall Leak Tester provides also documentation and advice to improve your security dramatically.”

Nineteen (19!) tests are linked from this master resource. This is definitely a recommended service for the IT professional double checking their corporate firewall setup, computer enthusiast learning about how easily computer systems can be penetrated, or home PC users concerned about their privacy and security.