Feeds

Intel pushes password-pumping mojo

Partners with Symantec, Vasco to stamp out 'terror'

The Essential Guide to IT Transformation

Intel has teamed up with security firms Symantec and Vasco to create a hardware-based one-time-password system to boost protection against phishers, fraudsters, and identity thieves.

"The notion of username and password as security is ridiculous," Intel's Identity Protection Technology (IPT) marketeer Jennifer Gilburg told The Reg at a briefing on Wednesday in San Francisco.

Gilburg is not alone in her disdain for simple username/password-based security methods. For years, stronger one-time password (OTP) schemes have been used by enterprise admins to provide a second level of login security for VPN, SaaS, and other services.

The problem with OTPs, not to put too fine a point on it, is that they can be a royal pain in the butt. For example, time-based OTP systems require a client user to carry an OTP-generating fob, USB key, or a phone with an OTP app or text-messaging capability, each time-synchronized with the enterprise server. The fob or whatever generates an OTP string – usually a numeric code – at the same instant that the enterprise server expects it, the user enters that code into a login screen, and the connection is made.

That inconvenience hasn't stopped the adoption of OTP tech, however. "eBay and PayPal have been live with this for several years," Gilburg says, "and they have several hundreds of thousands of users who have opted-in." Those users, however, have obtained their OTPs with a fob; Intel's improvement on this scheme is to built the OTP-generating capability into its 2nd Generation Core (née Sandy Bridge) processors, which it unveiled last month at the Consumer Electronics Show.

"We've taken the notion of a one-time password that generates a dynamic code every 30 seconds and we've embedded it into the chipset," Gilburg says, "into the [manageability engine] of the 2nd Generation Intel Core and Core vPro. This is brand new technology; Intel is the first to do this."

That manageability engine (ME), by the way, is on the same silicon as the Core processors' compute and graphics cores. And unlike Intel's vPro client-management technology, IPT is common to all three levels of the 2nd Geneneration processors: the Core i3, i5, and i7; vPro skips the i3.

Intel's IPT generates the OTP, but it's up to software provided by Symantec and Vasco to take advantage of that capability. (Both companies have issued statements hailing their cooperation with Intel on this OTP tech, Symantec's is here and Vasco's is here.)

And there are three more parties that need to play before the IPT/OTP party gets into full swing: hardware OEMs, enterprises, and consumer websites.

The first, OEMs, must include the appropriate enabling firmware in their PCs. Intel is not saying quite yet who the first of those OEMs will be, but you can check in on their Protected PCs web page beginning on March 11 to find a list.

Gilburg thinks the number of participating OEMs will snowball. "This year we're expecting a small subset of the machines hitting the market to have it. Next year it'll be a little more widely available. A year after that I think it'll become more widely pervasive."

However, even if you buy a non-IPT-enabled PC before that snowball gets rolling, a simple firmware update can enable the IPT/OTP feature retroactively, should your PC vendor be so inclined.

The second and third groups of partygoers – enterprises and consumer websites – are already growing. In addition to Gilburg's examples of eBay and PayPal, Intel's Protected Sites web page lists 145 other sites protected by Symantec's OTP tech, VeriSign Identity Protection (VIP) Authentication Service, which was part of Symantec's $1.3bn acquisition of VeriSign's identity and authentication business last May.

Once all those elements are in place – as Gilburg demoed to us – logging into an OTP-protected system is a simple matter of a one-time account setup – opt-in, of course – that provides the PC with a unique ID. After that setup, the Intel ITP technology in the PC's 2nd-gen Core processor negotiates with Symantec or Vasco software at the target website to work its OTP-security mojo.

"So think: 'username/password bad, adding dynamic code good'," Gilburg instructed us.

To Gilburg, the need for building a dynamic-code OTP system into consumer PCs is obvious. "There's over 56,000 new phishing sites that go up every month," she says. "And why do they go up? Because they're successful."

The rise of social networking is giving nogoodniks more opportunities to wreak havoc at the consumer level, Gilburg says. "It used to be just financial accounts, and people didn't care so much because the liability, in the US, is on the bank. So, yes, you feel violated; yes, it's horrible; but at the end of the day they're going to put that money back. But now, you take over my Facebook account and you send viruses to my thousand closest friends, and then it's your reputation that's damaged, and boy, that hurts a lot."

On the enterprise side, Gilburg cited a recent report by Forrester research – "sponsored by Symantec," she freely offered – that detailed username/password breaches. "Fifty per cent of the three thousand or so companies that they surveyed had admitted to breaches," she said, adding: "The key word there is 'admitted' – probably another 45 per cent actually had them."

She also recounted a breach at Twitter's HQ: "About a year ago, Twitter was using Google Apps for all of their corporate application servers, etcetera, and someone hacked the admin account and exposed all of Twitter's financials and business plans. What are they going to do, change their business plans?"

Eventually, Gilburg believes, users will come to expect expanded security. "What we're hoping to create on the consumer side is a notion where users are looking for this protection, and if a site doesn't have it, they might think, 'Well, you know what, I'm going to avoid that site, because my security isn't being taken seriously'."

After all, Gilburg says, "Identity theft terrifies people." And if Intel, Symantec, Vasco, and others can allay some of that terror while making a tidy profit from doing so, well, isn't that the American Way? ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.