Feeds

Intel pushes password-pumping mojo

Partners with Symantec, Vasco to stamp out 'terror'

Top three mobile application threats

Intel has teamed up with security firms Symantec and Vasco to create a hardware-based one-time-password system to boost protection against phishers, fraudsters, and identity thieves.

"The notion of username and password as security is ridiculous," Intel's Identity Protection Technology (IPT) marketeer Jennifer Gilburg told The Reg at a briefing on Wednesday in San Francisco.

Gilburg is not alone in her disdain for simple username/password-based security methods. For years, stronger one-time password (OTP) schemes have been used by enterprise admins to provide a second level of login security for VPN, SaaS, and other services.

The problem with OTPs, not to put too fine a point on it, is that they can be a royal pain in the butt. For example, time-based OTP systems require a client user to carry an OTP-generating fob, USB key, or a phone with an OTP app or text-messaging capability, each time-synchronized with the enterprise server. The fob or whatever generates an OTP string – usually a numeric code – at the same instant that the enterprise server expects it, the user enters that code into a login screen, and the connection is made.

That inconvenience hasn't stopped the adoption of OTP tech, however. "eBay and PayPal have been live with this for several years," Gilburg says, "and they have several hundreds of thousands of users who have opted-in." Those users, however, have obtained their OTPs with a fob; Intel's improvement on this scheme is to built the OTP-generating capability into its 2nd Generation Core (née Sandy Bridge) processors, which it unveiled last month at the Consumer Electronics Show.

"We've taken the notion of a one-time password that generates a dynamic code every 30 seconds and we've embedded it into the chipset," Gilburg says, "into the [manageability engine] of the 2nd Generation Intel Core and Core vPro. This is brand new technology; Intel is the first to do this."

That manageability engine (ME), by the way, is on the same silicon as the Core processors' compute and graphics cores. And unlike Intel's vPro client-management technology, IPT is common to all three levels of the 2nd Geneneration processors: the Core i3, i5, and i7; vPro skips the i3.

Intel's IPT generates the OTP, but it's up to software provided by Symantec and Vasco to take advantage of that capability. (Both companies have issued statements hailing their cooperation with Intel on this OTP tech, Symantec's is here and Vasco's is here.)

And there are three more parties that need to play before the IPT/OTP party gets into full swing: hardware OEMs, enterprises, and consumer websites.

The first, OEMs, must include the appropriate enabling firmware in their PCs. Intel is not saying quite yet who the first of those OEMs will be, but you can check in on their Protected PCs web page beginning on March 11 to find a list.

Gilburg thinks the number of participating OEMs will snowball. "This year we're expecting a small subset of the machines hitting the market to have it. Next year it'll be a little more widely available. A year after that I think it'll become more widely pervasive."

However, even if you buy a non-IPT-enabled PC before that snowball gets rolling, a simple firmware update can enable the IPT/OTP feature retroactively, should your PC vendor be so inclined.

The second and third groups of partygoers – enterprises and consumer websites – are already growing. In addition to Gilburg's examples of eBay and PayPal, Intel's Protected Sites web page lists 145 other sites protected by Symantec's OTP tech, VeriSign Identity Protection (VIP) Authentication Service, which was part of Symantec's $1.3bn acquisition of VeriSign's identity and authentication business last May.

Once all those elements are in place – as Gilburg demoed to us – logging into an OTP-protected system is a simple matter of a one-time account setup – opt-in, of course – that provides the PC with a unique ID. After that setup, the Intel ITP technology in the PC's 2nd-gen Core processor negotiates with Symantec or Vasco software at the target website to work its OTP-security mojo.

"So think: 'username/password bad, adding dynamic code good'," Gilburg instructed us.

To Gilburg, the need for building a dynamic-code OTP system into consumer PCs is obvious. "There's over 56,000 new phishing sites that go up every month," she says. "And why do they go up? Because they're successful."

The rise of social networking is giving nogoodniks more opportunities to wreak havoc at the consumer level, Gilburg says. "It used to be just financial accounts, and people didn't care so much because the liability, in the US, is on the bank. So, yes, you feel violated; yes, it's horrible; but at the end of the day they're going to put that money back. But now, you take over my Facebook account and you send viruses to my thousand closest friends, and then it's your reputation that's damaged, and boy, that hurts a lot."

On the enterprise side, Gilburg cited a recent report by Forrester research – "sponsored by Symantec," she freely offered – that detailed username/password breaches. "Fifty per cent of the three thousand or so companies that they surveyed had admitted to breaches," she said, adding: "The key word there is 'admitted' – probably another 45 per cent actually had them."

She also recounted a breach at Twitter's HQ: "About a year ago, Twitter was using Google Apps for all of their corporate application servers, etcetera, and someone hacked the admin account and exposed all of Twitter's financials and business plans. What are they going to do, change their business plans?"

Eventually, Gilburg believes, users will come to expect expanded security. "What we're hoping to create on the consumer side is a notion where users are looking for this protection, and if a site doesn't have it, they might think, 'Well, you know what, I'm going to avoid that site, because my security isn't being taken seriously'."

After all, Gilburg says, "Identity theft terrifies people." And if Intel, Symantec, Vasco, and others can allay some of that terror while making a tidy profit from doing so, well, isn't that the American Way? ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.