Feeds

Intel pushes password-pumping mojo

Partners with Symantec, Vasco to stamp out 'terror'

Beginner's guide to SSL certificates

Intel has teamed up with security firms Symantec and Vasco to create a hardware-based one-time-password system to boost protection against phishers, fraudsters, and identity thieves.

"The notion of username and password as security is ridiculous," Intel's Identity Protection Technology (IPT) marketeer Jennifer Gilburg told The Reg at a briefing on Wednesday in San Francisco.

Gilburg is not alone in her disdain for simple username/password-based security methods. For years, stronger one-time password (OTP) schemes have been used by enterprise admins to provide a second level of login security for VPN, SaaS, and other services.

The problem with OTPs, not to put too fine a point on it, is that they can be a royal pain in the butt. For example, time-based OTP systems require a client user to carry an OTP-generating fob, USB key, or a phone with an OTP app or text-messaging capability, each time-synchronized with the enterprise server. The fob or whatever generates an OTP string – usually a numeric code – at the same instant that the enterprise server expects it, the user enters that code into a login screen, and the connection is made.

That inconvenience hasn't stopped the adoption of OTP tech, however. "eBay and PayPal have been live with this for several years," Gilburg says, "and they have several hundreds of thousands of users who have opted-in." Those users, however, have obtained their OTPs with a fob; Intel's improvement on this scheme is to built the OTP-generating capability into its 2nd Generation Core (née Sandy Bridge) processors, which it unveiled last month at the Consumer Electronics Show.

"We've taken the notion of a one-time password that generates a dynamic code every 30 seconds and we've embedded it into the chipset," Gilburg says, "into the [manageability engine] of the 2nd Generation Intel Core and Core vPro. This is brand new technology; Intel is the first to do this."

That manageability engine (ME), by the way, is on the same silicon as the Core processors' compute and graphics cores. And unlike Intel's vPro client-management technology, IPT is common to all three levels of the 2nd Geneneration processors: the Core i3, i5, and i7; vPro skips the i3.

Intel's IPT generates the OTP, but it's up to software provided by Symantec and Vasco to take advantage of that capability. (Both companies have issued statements hailing their cooperation with Intel on this OTP tech, Symantec's is here and Vasco's is here.)

And there are three more parties that need to play before the IPT/OTP party gets into full swing: hardware OEMs, enterprises, and consumer websites.

The first, OEMs, must include the appropriate enabling firmware in their PCs. Intel is not saying quite yet who the first of those OEMs will be, but you can check in on their Protected PCs web page beginning on March 11 to find a list.

Gilburg thinks the number of participating OEMs will snowball. "This year we're expecting a small subset of the machines hitting the market to have it. Next year it'll be a little more widely available. A year after that I think it'll become more widely pervasive."

However, even if you buy a non-IPT-enabled PC before that snowball gets rolling, a simple firmware update can enable the IPT/OTP feature retroactively, should your PC vendor be so inclined.

The second and third groups of partygoers – enterprises and consumer websites – are already growing. In addition to Gilburg's examples of eBay and PayPal, Intel's Protected Sites web page lists 145 other sites protected by Symantec's OTP tech, VeriSign Identity Protection (VIP) Authentication Service, which was part of Symantec's $1.3bn acquisition of VeriSign's identity and authentication business last May.

Once all those elements are in place – as Gilburg demoed to us – logging into an OTP-protected system is a simple matter of a one-time account setup – opt-in, of course – that provides the PC with a unique ID. After that setup, the Intel ITP technology in the PC's 2nd-gen Core processor negotiates with Symantec or Vasco software at the target website to work its OTP-security mojo.

"So think: 'username/password bad, adding dynamic code good'," Gilburg instructed us.

To Gilburg, the need for building a dynamic-code OTP system into consumer PCs is obvious. "There's over 56,000 new phishing sites that go up every month," she says. "And why do they go up? Because they're successful."

The rise of social networking is giving nogoodniks more opportunities to wreak havoc at the consumer level, Gilburg says. "It used to be just financial accounts, and people didn't care so much because the liability, in the US, is on the bank. So, yes, you feel violated; yes, it's horrible; but at the end of the day they're going to put that money back. But now, you take over my Facebook account and you send viruses to my thousand closest friends, and then it's your reputation that's damaged, and boy, that hurts a lot."

On the enterprise side, Gilburg cited a recent report by Forrester research – "sponsored by Symantec," she freely offered – that detailed username/password breaches. "Fifty per cent of the three thousand or so companies that they surveyed had admitted to breaches," she said, adding: "The key word there is 'admitted' – probably another 45 per cent actually had them."

She also recounted a breach at Twitter's HQ: "About a year ago, Twitter was using Google Apps for all of their corporate application servers, etcetera, and someone hacked the admin account and exposed all of Twitter's financials and business plans. What are they going to do, change their business plans?"

Eventually, Gilburg believes, users will come to expect expanded security. "What we're hoping to create on the consumer side is a notion where users are looking for this protection, and if a site doesn't have it, they might think, 'Well, you know what, I'm going to avoid that site, because my security isn't being taken seriously'."

After all, Gilburg says, "Identity theft terrifies people." And if Intel, Symantec, Vasco, and others can allay some of that terror while making a tidy profit from doing so, well, isn't that the American Way? ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.