Because I have a laptop, I consider it more vulnerable to theft. I have set the Identity Safe settings to require a password after 15 minutes of inactivity.
The first design flaw is this: If I close the lid and suspend the system, then waken it a day later and start using it, the inactivity clock only counts the minutes that the machine is not suspended. In other words, Identity Safe does not require a password under those conditions.
So there I am using the computer, I close the lid, go to bed, wake go, leave the house, the house is broken into, the computer stolen, the lid opened, and ... voila, Identity Safe does not require a password!
Okay, guys, hold your horses. Yes, I know I can require a password for waking from suspension, and I do. But the point is, my password for Identity Safe is different and I want the double layer of security - after all, someone could conceivably get into my credit card accounts. I take this very seriously. Another point is the general home user might rely on the security he or she expects from Identity Safe. They will believe that 15 minutes of inactivity means 15 realtime minutes, not on-time real minutes.
The second design flaw is worse. Even though it requires your password to change your password even if you are in the 15 minute window (good idea), it does not require your password to change your Password Security Options. This means that someone in the above scenario could open the console, go to the Identity Safe Password Security Options and tell it to ... NEVER ASK FOR A PASSWORD! And they won't be required to give a password to do this! Thereby getting around the entire password problem.