Intel has teamed up with security firms Symantec and Vasco to create a hardware-based one-time-password system to boost protection against phishers, fraudsters, and identity thieves.
"The notion of username and password as security is ridiculous," Intel's Identity Protection Technology (IPT) marketeer Jennifer Gilburg told The Reg at a briefing on Wednesday in San Francisco.
Gilburg is not alone in her disdain for simple username/password-based security methods. For years, stronger one-time password (OTP) schemes have been used by enterprise admins to provide a second level of login security for VPN, SaaS, and other services.
The problem with OTPs, not to put too fine a point on it, is that they can be a royal pain in the butt. For example, time-based OTP systems require a client user to carry an OTP-generating fob, USB key, or a phone with an OTP app or text-messaging capability, each time-synchronized with the enterprise server. The fob or whatever generates an OTP string – usually a numeric code – at the same instant that the enterprise server expects it, the user enters that code into a login screen, and the connection is made.
That inconvenience hasn't stopped the adoption of OTP tech, however. "eBay and PayPal have been live with this for several years," Gilburg says, "and they have several hundreds of thousands of users who have opted-in." Those users, however, have obtained their OTPs with a fob; Intel's improvement on this scheme is to built the OTP-generating capability into its 2nd Generation Core (née Sandy Bridge) processors, which it unveiled last month at the Consumer Electronics Show.
"We've taken the notion of a one-time password that generates a dynamic code every 30 seconds and we've embedded it into the chipset," Gilburg says, "into the [manageability engine] of the 2nd Generation Intel Core and Core vPro. This is brand new technology; Intel is the first to do this."
That manageability engine (ME), by the way, is on the same silicon as the Core processors' compute and graphics cores. And unlike Intel's vPro client-management technology, IPT is common to all three levels of the 2nd Geneneration processors: the Core i3, i5, and i7; vPro skips the i3.
Intel's IPT generates the OTP, but it's up to software provided by Symantec and Vasco to take advantage of that capability. (Both companies have issued statements hailing their cooperation with Intel on this OTP tech, Symantec's is here and Vasco's is here.)
And there are three more parties that need to play before the IPT/OTP party gets into full swing: hardware OEMs, enterprises, and consumer websites.
The first, OEMs, must include the appropriate enabling firmware in their PCs. Intel is not saying quite yet who the first of those OEMs will be, but you can check in on their Protected PCs web page beginning on March 11 to find a list.
Gilburg thinks the number of participating OEMs will snowball. "This year we're expecting a small subset of the machines hitting the market to have it. Next year it'll be a little more widely available. A year after that I think it'll become more widely pervasive."
However, even if you buy a non-IPT-enabled PC before that snowball gets rolling, a simple firmware update can enable the IPT/OTP feature retroactively, should your PC vendor be so inclined.
The second and third groups of partygoers – enterprises and consumer websites – are already growing. In addition to Gilburg's examples of eBay and PayPal, Intel's Protected Sites web page lists 145 other sites protected by Symantec's OTP tech, VeriSign Identity Protection (VIP) Authentication Service, which was part of Symantec's $1.3bn acquisition of VeriSign's identity and authentication business last May.
Once all those elements are in place – as Gilburg demoed to us – logging into an OTP-protected system is a simple matter of a one-time account setup – opt-in, of course – that provides the PC with a unique ID. After that setup, the Intel ITP technology in the PC's 2nd-gen Core processor negotiates with Symantec or Vasco software at the target website to work its OTP-security mojo.
"So think: 'username/password bad, adding dynamic code good'," Gilburg instructed us.
To Gilburg, the need for building a dynamic-code OTP system into consumer PCs is obvious. "There's over 56,000 new phishing sites that go up every month," she says. "And why do they go up? Because they're successful."
The rise of social networking is giving nogoodniks more opportunities to wreak havoc at the consumer level, Gilburg says. "It used to be just financial accounts, and people didn't care so much because the liability, in the US, is on the bank. So, yes, you feel violated; yes, it's horrible; but at the end of the day they're going to put that money back. But now, you take over my Facebook account and you send viruses to my thousand closest friends, and then it's your reputation that's damaged, and boy, that hurts a lot."
On the enterprise side, Gilburg cited a recent report by Forrester research – "sponsored by Symantec," she freely offered – that detailed username/password breaches. "Fifty per cent of the three thousand or so companies that they surveyed had admitted to breaches," she said, adding: "The key word there is 'admitted' – probably another 45 per cent actually had them."
She also recounted a breach at Twitter's HQ: "About a year ago, Twitter was using Google Apps for all of their corporate application servers, etcetera, and someone hacked the admin account and exposed all of Twitter's financials and business plans. What are they going to do, change their business plans?"
Eventually, Gilburg believes, users will come to expect expanded security. "What we're hoping to create on the consumer side is a notion where users are looking for this protection, and if a site doesn't have it, they might think, 'Well, you know what, I'm going to avoid that site, because my security isn't being taken seriously'."
After all, Gilburg says, "Identity theft terrifies people." And if Intel, Symantec, Vasco, and others can allay some of that terror while making a tidy profit from doing so, well, isn't that the American Way? ®