You could break IBM's Smart Card Security Kit in half with two fingers, and yet it's stronger than a padlock at protecting data on a laptop computer.

The kit combines a password and 128-bit encryption with a credit-card-size token that slides into a reader device to unlock your computer. The pledge is that no thief--not even an authorized user--can boot up the machine or get to data on the hard drive unless all the kit components are present and in working order.

Installation was harder than I expected. I needed seven formatted floppy disks for the job, an unusual and rather annoying requirement, and had to tweak the software to work correctly with my system. Once I had resolved these minor hassles, however, the kit worked like a charm.

You turn on the computer and it boots to a point just before you get to Microsoft Windows. A screen prompts you to insert the security token. The reader, which fits into a PCMCIA slot on your laptop, verifies that the card is the right one for the system.

The card, by the way, must stay in the slot as long as the computer is used; access cuts off if it's removed.

Next you are prompted for a personal identification number of four, six or eight digits. The default is four, probably long enough to thwart all but a quite persistent--or lucky--thief.

If an incorrect PIN is entered seven times in a row, the reader permanently disables the card on the next try. International Business Machines Corp.'s user license specifically notes that cards disabled in this manner are not replaceable under warranty. Anyone who tends to forget PINs needs to be wary of making too many tries.

A thief who does not know about the warranty is going to be surprised to find no way to crack the laptop even with the right card in hand.

Still, a skilled hacker could theoretically get around the password and token security but would then run smack into the secondary security wall: Confidential files are locked with 128-bit encryption. To my knowledge, no one has so far managed to break 128-bit encryption.

The trouble with rock-solid security is that people often lock themselves out by accident. So, in an effort to support forgetful users, IBM has created a back door to the entire security system. If you lose the card or it's stolen, but you still have the computer, there is a way out.

The initial software installation creates an emergency disk that can bypass the safeguards. IBM recommends leaving this floppy with the systems administrator, far removed from the laptop. Of course, this opens a security hole that conceivably could be exploited by a skilled hacker.

In case of card loss, you can also order a new card from IBM, and the company promises overnight service.

A final, cosmetic security component comes in the form of a luggage tag for the laptop carrying case. The tag reads "Smart card protected" in red letters. To me, it merely calls attention to something special about the computer. A thief might be disappointed once he steals the computer, but I doubt the tag would stop him.

For $199 you're unlikely to find a more secure system for a laptop. The kit might not keep a thief from grabbing it, but it will keep him from fencing it, and no one will likely be able to look at the data.

Armed with this kit and some common sense, you'll have less to worry about when traveling.

To respond, send e-mail to editor@gcn.com or visit the Government Computer News Web site at www.gcn.com.

Smart Card Security Kit

Telephone: 1-800-772-2227

Web address: www.ibm.com.

Price: $199

Pros:

+ Compact token security system

+ File encryption for extra security

Cons:

- Complex installation

Grade: A

Real-life requirements:

Windows 95 or 98, free Type II PC card

slot, multiple floppy disks