Passwords can be phished, and carrying an extra key fob security device for accessing sensitive sites can be inconvenient. So Intel is putting authentication technology into its chips that will allow Web sites to verify that it’s your PC logging into your online account and not an imposter or thief.
Intel Identity Protection Technology is being added to the chipsets of some Core and Core vPro processor-based PCs from HP, Lenovo, Sony and others, that began shipping to consumers this summer, according to Jennifer Gilburg, marketing director for the authentication technology unit.
This is two-factor authentication, which adds an extra layer of security so that even if your password gets stolen whoever knows your secret code can’t get into your account without offering more identification or proof of account ownership. In two-factor systems, the first part of the equation is what you know–password and username. The second factor is what you have–usually a hardware token, but in this case it’s a token that’s embedded in the chip.
“My three brothers have had e-mail accounts hijacked. My younger brother gets his Facebook account hijacked like once a month,” she said in a recent interview with CNET. “This s a friction-less log in that can’t be hijacked or phished or compromised.”
Here’s how it works. When you visit a Web site that offers this two-factor authentication service you will be asked if you want to use the Identity Protection Technology. If you opt in, you log in with username and password a unique number is assigned to that PC so the site will know it is associated with your account. Thereafter, when you visit that site and type in your username and password an algorithm running on the chipset generates a six-digit code that changes every 30 seconds from the embedded processor that is then validated by the site.
“It’s seamless to the user after set up,” Gilburg said.
The Web site needs to be using technology that works with the Intel chip to enable this two-factor authentication. For example, VeriSign sites use Symantec’s VIP (Validation and Identity Protection) Service technology on their end to communicate with Intel’s chip-level technology on the customer’s computer. Symantec acquired VeriSign’s authentication services unit last year.
Some sites will be rolling the service out over the next few months and they will be using a Javacode-based software, according to Gilburg. She couldn’t say how many sites are now offering the authentication support, but according to a list on Intel’s site they include eBay and PayPal.
“They need to get Amazon, Google, whoever does authentication (on sites) and sells you stuff” on board, said Jack Gold, founder of tech analyst firm J. Gold Associates.
The technology could also be used for activities like downloading songs, he said, adding “It’s basically a way of protecting the user and telling the site at the other end that this really is the legitimate user.”
If you want to use the authentication but you aren’t at your regular computer, some Web sites offer an SMS option in which a code can be sent to a customer’s phone.
The new Intel technology comes at a good time, with stolen passwords and hijacked accounts are becoming commonplace and at a time when traditional hardware token-based systems are running into problems. Earlier this year, there was a serious hacker break-in at RSA that prompted some corporations, government agencies and other organizations to replace their SecurID tokens.
“The RSA breach showed the vulnerability of hardware tokens from a disaster recovery perspective,” Gilburg said. “It took months to remanufacture, reseed (pair codes with tokens and accounts) and reship out the tokens. Here you can revoke and reprovision in minutes.”
The Intel solution is a good one for now, said Charlie Miller, principal research consultant at security firm Accuvant.
“It seems like a pretty natural migration as many security related things are moving from software to hardware to protect them from prying eyes,” he said. “As for drawbacks, there might be a privacy issue, but it’s hard to think how it would be significantly worse than tying a computer to a website via cookies and other current software mechanisms.”