ByNeil J. Rubenking
When government entities need to keep information really, really secure, they keep it on computers that have no connection to the Internet.
This air gap technique can be extremely effective (as long as nobody sticks a random USB drive into the protected computer).
Authentic8 Silo puts a similar security gap between your computer and the websites you visit, and also functions as an effective multi-device password manager.
I’ll be focusing on Silo for Individuals, which costs $10 per month.
Silo for Teams, aimed at businesses and enterprises, doesn’t have a fixed price.
As with many enterprise-level products, you contact the company and negotiate a price based on your needs, the number of users, and so on.
How It WorksSilo looks like a browser, quacks like a browser, and acts like a browser, but it isn’t one—not really.
All of the actual Web browsing takes place on Authentic8’s servers. Your local Silo client establishes an encrypted connection to those servers. When you click a link or enter a website address, the local client passes along your request to the server.
The server communicates with the websites and transmits an already-rendered Web page back to the client. What you see in Silo is like a picture of the page; you’re not directly connected.
If you have any doubt as to whether all browsing really, truly takes place on Authentic8’s servers, just load up your favorite speed test website in Silo.
Speedtest.net (owned by PCMag’s parent company Ziff-Davis) reported about 50Mbps download speed in Chrome, which is about the best my office connection ever gets. When I ran the same test in Silo, it reported an off-the-charts 940Mbps!
Using Silo is similar in some ways to using a VPN service. Your Internet traffic is encrypted between you and the VPN server and, as with Silo, your visible IP address is that of the server.
Authentic8 has servers in 18 locations around the world, and the administrator for a business installation can choose which endpoint’s IP address to use.
As an individual user you don’t get to choose, but your actual IP address is still hidden.
Note, though, that when you’re connected through a VPN, your local browser is still doing all the processing of incoming traffic, and is thus still subject to attack by malicious websites. When you’re running Silo, malvertising, drive-by downloads, and other Web-based attacks just can’t reach you.
Note that this is a different approach from local hardened browsers like Epic Privacy Browser or the Safe Pay browser in Bitdefender Antivirus Plus 2016.
These products work hard to isolate the browser from other local processes.
Silo doesn’t have to do that, as the actual browsing takes place elsewhere.
Silo leaves no local traces of your browsing activity.
And because your account information lives on the server, you can access your account from any device. Well, almost any.
Silo supports Windows, Mac, Ubuntu, and iOS (iPad only).
Getting Started With SiloYour first step is to sign up for a free 30-day trial.
There’s no requirement for a credit card number; it’s really free.
After you sign up, the site recommends installing the local client specific to your operating system.
Getting the client downloaded and installed took me just a couple of minutes.
There are a few more initial steps. You must define a PIN of at least four digits, to protect your account. You can also choose to require phone-based two-factor authentication every time you log in, or just when you log in from a previously unknown device (the latter is recommended). You can also choose to receive your two-factor code via phone call or text.
That’s it; you’re ready to roll.
Password ManagementWhen you first launch Silo, it encourages you to create shortcuts for your online accounts in six categories: Finance, Shopping, Travel, Insurance, Health, and Other.
Clicking one of the categories opens a list of websites matching that category. You simply click a site, enter your username and password, and save the result. When you click the icon that appears in Silo’s left-side dock, it navigates to the site and logs you in.
Silo’s list includes over 1,600 known sites.
The presence of a site on the list means that Authentic8’s engineers have either verified that it uses a standard login technique or captured details that allow Silo to handle its nonstandard login.
In many cases, you’ll be asked for details very specific to the site.
For example, when you add Virgin America it asks for your email or frequent flyer number.
A similar feature in LogMeOnce Password Management Suite Ultimate covers more than 4,000 sites.
You don’t have to pick from the list if you don’t want to.
As with Dashlane 4, LastPass 4.0, and most other password managers, you can just log in as usual and allow Silo to capture your credentials.
If the site you’ve chosen has a nonstandard login and is not on Silo’s list, it may not be captured correctly.
Some products, among them Sticky Password Premium and RoboForm Everywhere 7, have the ability to capture all data fields from an oddball login page.
Silo doesn’t, but there’s a button to report login trouble and, if you’re lucky, get the site added to Silo’s list.
You can roll up the left-side dock to get it out of the way, or expand it into a larger panel that shows all of your saved logins.
Clicking an icon launches and logs in to the website.
If you want to make changes, you must click the gear icon to put the dock in editing mode first.
That threw me off at first; I tried to right-click for editing and wound up launching the site instead. You can pin your most-used icons to the dock, so they’ll appear even when it’s squeezed down to one column.
Silo does handle password-change events. However, in testing I wound up creating a new saved login rather than updating the old one.
Specifically, I had entered an old password for Gmail, so it was rejected. When I submitted the new password, Silo presented a list of Google-related logins for me to select.
Choosing Gmail got me a new login.
It seemed a little awkward, but this isn’t something that should happen often.
As noted, Silo is much more than just a password manager.
It’s a whole secure browsing environment.
That being the case, it’s not too surprising that the password manager component omits some of the bells and whistles found in dedicated password utilities.
Silo doesn’t attempt to import or export passwords, or to fill Web forms with personal information.
It doesn’t include a password generator, secure sharing, or an actionable password strength report.
If you really need these features and don’t care about secure browsing, this may not be the right product for you.
Dealing With DownloadsWhen you’re surfing the Web, your browser is constantly downloading pages of HTML code, images, and so on.
As noted, all of these cached files reside on the server.
But when you actively choose to download a picture, video, or other file, that’s a different story.
With most browsers, clicking on a downloadable file simple captures it to your Downloads folder.
Silo instead brings up a window called Storage Manager. You can choose to save the file on your 5GB Temporary Drive, in which case it vanishes when you shut down Silo. Or you can download directly to your computer.
From the Storage Manager you can also move files between the computer and the Temporary Drive.
A couple of other storage options are only available to users of Silo for Teams. My Drive is a personal cloud drive that you can access from any device when you’re logged in to Silo. You might also have access to one or more cloud drives shared by your team.
Security SpecialtiesI mentioned that during the setup process you must create a PIN to unlock Silo itself.
The pin can be from four to eight digits long; I strongly recommend using the full eight digits.
Now, an eight-character password composed all of digits would be pretty terrible protection for your secure browser.
A hacker could brute-force that kind of password in no time.
Could, that is, if authentication were a simple matter of submitting the password for verification.
Silo’s authentication routine is unique. You never enter the PIN itself. Rather, you look at the on-screen PIN pad and type the letter displayed above each digit.
After each digit, you get a new random collection of letters. On an iPad, it’s a tad different—you tap out your PIN code in digits, but the numbers shuffle position after each tap.
In either case, there’s no fast way for a hacker to try all combinations, and no way for a shoulder-surfer to memorize your PIN.
I times the login process and found I could connect to the server and log in with a four-digit PIN in about 20 seconds.
At that rate, a very patient hacker could run a manual brute-force attack, trying all 10,000 possible four-digit PINs in less than six hours.
Except that Silo won’t allow it.
After three wrong attempts, the Silo login shuts down, requiring a new connection to the server.
After three such shutdowns, it locks your account.
At that point, in the unlikely event that you somehow locked yourself out, you have to contact tech support and prove that you really are you.
But what about the other face of security, protecting your own data? It’s all very well to say that your browsing traces are encrypted on Authentic8’s servers, but what’s to stop the company itself from data-mining your details, or selling them? I asked Authentic8 CEO Scott Petry for his thoughts.
Petry explained that an administrator for the business edition could supply a proprietary encryption key.
That way even if hit with a subpoena, Authentic8 couldn’t decrypt the data.
Individual users don’t have the option of using a proprietary key, but the company’s policy firmly forbids any access to customer activity logs without permission.
Even with customer permission, it takes two employees to enable access.
In any case, as Petry pointed out, if you used an ordinary browser your ISP would have access to all of the same information.
Silo for BusinessAs noted, I’m not attempting to review the business-oriented Silo for Teams, but I’ll briefly report on some of its amazing capabilities.
The key here is that all browsing through Silo actually takes place on Authentic8’s servers.
That means an administrator has unbreakable control over exactly how the product is used.
To eliminate all possibility of users picking up malware on the Internet, the admin can disable downloading to the local computer. Users can still download a personal file to the Temporary Drive, and even upload an edited version from that drive.
But nothing reaches the local machine. Worried about users copy/pasting sensitive corporate information into personal email? No problem; the administrator can disable use of the clipboard.
To avoid the possibility of inappropriate Internet use on the job, an admin can impose Web filtering restrictions.
The admin can also impose policies such as when two-factor authentication is required, and even impose fine-grained control like permitting downloads but forbidding uploads.
It gets wilder! A security researcher using Silo can thoroughly mask more than just the IP address.
The Silo browser can present language and time zone characteristics to match the spoofed location.
By manipulating the user agent string reported by the browser, the researcher can give the appearance of connecting from a specific browser or device type. Want to tell the world you’re connecting from an iPad running Chrome? No problem!
At the RSA Conference earlier this year, CEO Petry showed me how the company uses Silo for its own outsourced payroll and HR systems. Workers can click a half-dozen icons to open the company’s secure websites, but they can’t see or change the login credentials.
They can’t surf to any other websites.
Silo gives them everything they need to do the job, and not an ounce more.
As you can see, there are many possibilities for Silo in business.
Much More Than PasswordsAt $10 per month, Authentic8 Silo is probably too expensive to use merely as your personal password manager.
But if you also want to browse without risking malware attack, surf without giving away your IP address, and protect your passwords with crazy-tough authentication, it may be just the thing you need.
If you don’t want or need that added security, if what you’re really looking for is just password management software, our Editors’ Choices are LastPass 4, Dashlane 4, and Sticky Password Premium.