Inside Intel's CPU-level multi-factor auth (and why we've got deja vu)

Password? All you need is your phone, fingerprint, PIN, mother's maiden name ...

28 Reg comments Got Tips?

Analysis Intel has baked multi-factor authentication defenses into its sixth-generation Core processors.

On Tuesday, the California chip giant sprung this news on the world, revealing what it seemed to be saying was a really big secret: all this time, the sixth-gen Core family, launched in September, has had brand-spanking new multi-factor authentication support, and no one knew? Blow me down with a feather.

However, the technology appears to be an extension to various security mechanisms Intel has been eking out for years.

The multi-factor authentication – dubbed Intel Authenticate – hopes to do away, in part, with passwords, and is aimed at businesses, large and small. Right down at the firmware layer, the chipset stores policies and authentication data that are supposed to be safe from hackers.

Authentication data could, for example, be the user's fingerprint, or a PIN. A policy could, for example, state that a recognized work-issued smartphone within close range of the machine, plus the entry of a correct PIN, is enough to log into the device. The policy could add that if the machine is not connected to a corporate network, then a smartphone within range, a valid PIN, and a valid fingerprint, read from a builtin sensor, is needed to unlock the computer.

So, if you're using a laptop in the office on the corporate Wi-Fi, with your phone on the desktop within Bluetooth range, all you need to do is type in a PIN to log back into the PC. If you're in a cafe at the weekend, you'll need to provide a fingerprint to make sure you're not a thief.

"Intel Authenticate embeds multi-factor authentication into hardware in the platform architecture," said Thomas Garrison, a vice president in Intel's client computing group.

"By doing so, the most common software based attacks that steal user credentials through viruses or malware are rendered ineffective. Intel delivers a secure PIN, a Bluetooth proximity factor with your Android or iPhone, a logical location factor with vPro systems, and fingerprint biometrics."

The operating system – so far Windows 7, 8 and 10 support Intel Authenticate – has to communicate with the firmware to get the yes or no confirmation for allowing the login. The OS isn't supposed to see the fingerprint or the PIN, so it can't be stolen by code running inside the kernel or in user space.

If you can't login – such as you lose your phone – you can optionally fall back to a password. It's supposed to help employees who are bad at remembering complex passwords, and IT support desks who have to do daily resets for people.

Under the hood

Intel Authenticate uses two firmware-level systems that give security researchers and privacy activists the heebie-jeebies: Intel's Management Engine (ME), and Intel's Active Management Technology (AMT). Both of these have been around for years, work below the operating system, and are mostly invisible to the layers of software above them. They are supposed to allow sysadmins to control machines remotely, but offer other features. AMT, for example, provides the network location detection used by Intel Authenticate.

The Management Engine built into the motherboard chipset provides the secure memory area for storing policies and the user's authentication data, which aren't allowed to leave the secure area nor allowed to be tampered with unless you've got the right privileges. This is supposed to stop miscreants from setting lax policies or swiping people's login details.

This is why you need a firmware download to activate Intel Authenticate; the software runs only on vPro editions of Intel's new sixth-gen Core CPUs, aka the Skylake family. The Skylake vPro parts were announced this week.

This whole system appears to be an iteration of the two-factor authentication methods we've seen before in Chipzilla's business-friendly chips, such as the 2011 Sandy Bridge vPro parts, and the Broadwell vPro family in 2015. Back then, it was known as Intel Identity Protection, which provides support for two-factor authentication, such as logging in with a username, password and hardware token, or a username, password and one-time code sent to a smartphone.

Now, Intel's added Bluetooth and fingerprint-reader support, made it a bit more user-friendly, thrown in PIN codes, and voila. It might explain why these two press releases on the vPro series, a year apart, seem so similar.

We just hope nothing compromises the ME at the heart of Intel Authenticate, nor the operating system to bypass the mechanism. Authenticate is a tool for IT admins more than anything else, rather than a total protection from hackers.

Intel Authenticate is in preview mode: customers are invited to contact Intel so they can be helped through the process of installing the necessary middleware and firmware to use it. Chad Constant, Intel's director of business client marketing, told El Reg no date had been set for the lifting of this trial period, but said Intel's tech previews tend to last four to six months. ®

PS: You should update your Intel Driver Update utility before someone on your network hijacks your firmware downloads, and injects malicious code into your system.


Biting the hand that feeds IT © 1998–2020