Baking Strong Authentication Into Client Devices

  /     /     /  
Publicated : 22/11/2024   Category : security


Baking Strong Authentication Into Client Devices


MasterCard, Symantecs VeriSign VIP support new Intel Core two-factor authentication technology



MasterCard today became the latest company to employ Intels Identity Protection Technology (IPT) -- which basically converts a laptop or client device into a second factor of authentication -- for online commerce.
Intel this summer began shipping its IPT technology built into its second-generation Core microprocessors, the commercial Core, and Core VPro, and the technology is gaining traction from some big names. Aside from the credit-card giant, Symantec supports IPT in its cloud-based VIP service, and Intel says its also wooing social networks to also adopt IPT for two-factor authentication.
IPT embeds a one-time password token into the chipset, says Jennifer Gilburg, marketing director for the authentication technology unit at Intel. The idea was to embed credentials for better security and usability for end users, she says.
MasterCard will support IPT-enabled client machines, which include Intels Ultrabook and machines from HP, Lenovo, and Dell that run on the new IPT-based second-generation Core processors. The credit-card giant and Intel also will work together as part of this multiyear agreement on PayPass, MasterCards wireless payment method that doesnt involve swiping magnetic strips on payment cards at the point of sale. Ultimately, consumers could pay online with a tap of their PayPass-enabled smartphones or Ultrabooks, for example, according to the companies.
“MasterCard is constantly working to improve the shopping experience for consumers and merchants,” said Ed McLaughlin, chief emerging payments officer at MasterCard. “The collaboration with Intel will deliver enhanced security and faster checkout -- with the convenience of a simple click or tap.”
Two-factor authentication has long been lauded as a way to enhance the notoriously vulnerable traditional username and password. While the technology has been deployed in vertical industries, such as online banking, and within sensitive businesses and government computing environments, reliance on hardware-based tokens is relatively expensive and, in some cases, a kludgy approach for mainstream organizations and consumers. Meanwhile, two-factor authentication that employs users existing technology, especially smartphones, is starting to emerge as a more viable option, especially for cash-strapped consumers.
Intels Gilburg says IPT allows partners with back-end authentication engines, such as Symantec, to provision a token to the IPT two-factor authentication. The user [visits] the website, which is aware that they have IPT enabled through Java code and the user is invited to opt in. When they do, every time they log onto that site, a [six-digit], one-time password is generated, she says. And all the user needs to know is his or her first-level username and password.
Symantecs VeriSign VIP service, which is used by major websites such as PayPal and eBay, is a cloud-based authentication service. Those organizations with hardware tokens, for example, have an in-premise server they have to deploy. With our service, you dont because the authentication lives in the cloud, says Brendon Wilson, senior product marketing manager for user authentication at Symantec. It makes it faster and easier to deploy and maintain. And it drives down the total cost of ownership of two-factor authentication, he says, noting that VIP also supports hardware tokens.
But Intels IPT is a different twist on the hardware token. It transforms the laptop into the second factor of authentication, Wilson says. The shared secret is stored securely in the Intel software.
One advantage to mobile tokens like IPT is they can be easily revoked and reprovisioned. You do that over the air in minutes versus months like it takes with hardware tokens, Intels Gilburg says.
IPT depends on these high-profile e-commerce sites adoption. Intel also bundles a plug-in for IPT for browsers.
IPT basically enables the plumbing for authentication, says Eve Maler, principal analyst with Forrester Research.
Maler says that, in reality, most multifactor authentication methods in online banking or other secure sites no longer use passwords the way youd think. Its serving as a quick way to determine what user they are dealing with so they can launch another method of authentication, Maler says. They are silently observing the transaction context and sniffing out anything that seems funny about it … if its from a weird IP, [for example], then they spring into action and provide a stronger authentication experience, like sending a one-time password to your phone, or asking challenge questions.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Baking Strong Authentication Into Client Devices