« Why SIP sucks and IAX rocks - a rant on latency and the media path | Main | Nit: Ajax websights and wifi redirect pages »

In the doghouse: iamidentity.com imdentity.com

I've been tinkering lately with the mypw.com service, which offeres a SecureID-like service that's exposed as a webservice. Pretty nifty. I guess I was going to miss the two-factor SecureID I have working at PARC, or something. More on that once I've got something fun working.

However, looking for other places to test things out, I noticed they have a partner, iamdentity. These people win my first DogHouse award (in the style of Bruce Schneier). When you get to their website, it's not 100% clear what service they even offer. How does a service which keeps an additional copy of your personal information safeguard it, exactly? I suppose single signon is useful, but....

So, I click on the "New Client? Click to apply for an iamdentity account" link, which takes me to a scary questionnaire to "assess my risk". It's riddled with typos and questions you can't really answer correctly.... After scary questions like "Have you ever been successful in ensuring all your personal data has been deleted after canceling a subscription?", and "How often do you familiarise yourself with a sites data protection and online security policy?", you get to click a button and get an answer. I'm pretty sure the best result you can get is:

Although you do spare a thought for personal information security, you are not doing enough and risk becoming the victim of an opportunistic fraudster.

You have taken some precausions to prevent your identity being stolen, but not all the holes are covered yet.

Of course, you're still offered the chance to apply for an account. In the following form, oddly, they ask you for a ton of personal information. Hrm, how are they protecting me, exactly? This form loads from a different domain than iamidentity, some mysterious "ssl-01.com". You want me to trust my privacy to a company that's too cheap to even follow standard practices and register their own SSL cert? And I'm never once given control of the encryption key that stores my data (if, in fact, there even is encryption against my stored data, which I highly doubt).

Once done with the form, you get e-mailed a confirmation link, which includes your initial password. When you log in, they e-mail you again, this time with the session PIN. Apparently, they'll do this each time you sign up. I'm unconvinced how much this helps security, but it certainly does slow down the process, increasing the chance someone's going to ditch their service entirely.

Once logged in, you can see that they're trying to integrate with a small list of probably e-commerce sites. I guess they do do something, after all. No one on the list I've heard of, so, no reason for the account, and the MyPW integration only comes if you pay MyPW $20/year for service on their token. Unfortunately, when I clicked on the "cancel account" link it leads to an error message implying I'll have to contact support to cancel my account (but with no link, error number, or other details). Huh, wasn't one of their questions "Have you ever been successful in ensuring all your personal data has been deleted after cancelling a subscription?" Sure gonna' be tricky this time. The initial e-mail links to a web page for support, but, when I go there, it says I have to e-mail support@iamidentity.comsupport@iamdentity.com for anything other than password or initial signup concerns. So, I do... leaving an ironic comment in the e-mail at the absurdity of this process from a company supposedly providing a user-information-management solution.

... and nothing happened. I made the request to cancel my account nearly 2 weeks ago, and yet, my account still exists. No response to my e-mail was received.

Stay far far away from these snake oil salesmen.

Update: Sheesh. One of my other problems with this site is that, at least for me, it's cognitively difficult to spell their domain. I, for some reason, easily type iamidentity, when it's just plain imdentity. They could have at least registered the common typo domain and redirected. sigh

Technorati Tags: , ,

Post a comment

Verification (needed to reduce spam):