Intel beefs up online security with two-step logins [sponsored]

Posted on October 13, 2011, 11:30 AM
Follow up on this and other innovations at Intel's Cloud Computing Technology portal and learn about the emergence of new cloud-based solutions.

As people grow more comfortable with storing information in the cloud, it's becoming increasingly important to make sure such data is kept away from prying eyes. Usernames and passwords are generally okay for most services -- as long as you use a strong password, of course -- but they don't provide ample protection and are susceptible to phishing and social engineering tricks. What is needed is a way to more clearly tie a user's identity to a trusted device.

One popular method businesses employ today is two-step authentication procedures, where users are required to type in a special, short-lived code in addition to their normal password to get into their accounts. This special code is generated on the spot by a physical 'token' that usually comes in the form of a key fob, smart card or USB stick.

Physical tokens are used by many Fortune 500 companies, but the problem with this approach is that it can be rather expensive to maintain when there are hundreds of employees and partners involved. In addition, if the algorithms behind the tokens are ever compromised it can take months to recode and replace them. To address these challenges, Intel has developed a solution that promises to be seamless for users and more cost effective for organizations.

Intel's Identity Protection Technology (IPT) is built into select 2nd generation Intel Core processor-based PCs. In essence, IPT adds a hardware layer of security while eliminating the need to carry around or attach a security device to your computer. Here's how it works:

When you access an Intel IPT-enabled website, you will be prompted to "register" your PC on that site. On subsequent logins, you simply enter your username and password and behind the scenes the PC generates a unique six-digit code from an embedded processor on the computer's motherboard, which gets validated by the website.

This embedded processor, known as Manageability Engine (ME), is a controlled area of the chipset that is tamper-proof and operates in isolation from the operating system for added security. Algorithms developed by Intel partners, such as Vasco and VeriSign, run in the ME performing the operations that link the computer to a validated site.

Intel says more than 1,000 websites now support IPT-enabled computers, including eBay and PayPal, and the company is actively working with partners to expand that number. They've also provided a guide of all notebooks and desktops from the likes of Lenovo, Dell, HP, Toshiba and Sony that currently support this technology.

This sponsored post is brought to you by Intel. Follow up on this and other innovations at Intel's Cloud Computing Technology portal and learn about the emergence of new cloud-based solutions.

User Comments: 5

Got something to say? Post a comment
Staff
Rick Rick, TechSpot Staff, said:

When you access an Intel IPT-enabled website, you will be prompted to "register" your PC on that site. On subsequent logins, you simply enter your username and password and behind the scenes the PC generates a unique six-digit code from an embedded processor on the computer's motherboard, which gets validated by the website.

Maybe I just don't fully grasp IPT, but simplified, it sounds like it registers a physical device (ie. your PC) to a website.

So the question is, who wants to restrict a website to a specific computer? Not everyone, that's for sure.

As a result, there must be (and possibly always be) ways to access your accounts without an IPT-enabled computer. For as long as methods exist to serve the lowest common denominator, I don't see this IPT stuff as being any more secure.

The weakest link in a chain determines its strength. That weak link here is that many people still want access to websites from ANY Internet-capable device... It's what makes the web awesome. You can opt to give that away by relegating your usage of certain sites to a particular set of devices, but there's still a registration process and possibly some sort of leniency (eg. similar to resetting your password with a security code) which can probably be abused as well... not to mention physical access or user impersonation (remote access to the physical machine) remain viable avenues for unpleasant activities as well.

I'm not sure I'm seeing the value yet, although perhaps it does lay a framework for accountability. If everyone's chips carry a unique ID that cannot be altered, then we have ourselves a reasonable foundation to build an identification system which could possibly tie you (or at least your computer) to your electronic alter ego...

Guest said:

Does this prevent a user from login to the web site from a different device or only from purchasing items from a different device? If the user's PC is compromised then game over. Can a man in the middle attack still work, seems like it. They mentioned Intel, Symantec and E-Bay, so do you need Symantec on other security software to hook into this? Still have questions and I'm not sure what this really solves, other than the DB dumps of username/password as they would now need your physical machine to do something. I guess it's a step in the right direction however it seems like a better solution is out there.

Cota Cota said:

Finally! *deletes idea from his book*

This is a nice step on security (tho im sure the ID can be easily read using some API), but once again the REAL security really comes from the quality of the user.

mevans336 mevans336 said:

Rick said:

When you access an Intel IPT-enabled website, you will be prompted to "register" your PC on that site. On subsequent logins, you simply enter your username and password and behind the scenes the PC generates a unique six-digit code from an embedded processor on the computer's motherboard, which gets validated by the website.

Maybe I just don't fully grasp IPT, but simplified, it sounds like it registers a physical device (ie. your PC) to a website.

So the question is, who wants to restrict a website to a specific computer? Not everyone, that's for sure.

You're right. If you're away from your PC, you can't access the site. (Without some other mechanism to allow access.)

This is relevant to business users, not home users.

Intel is trying to put RSA out of business while possibly extending a "good-enough" type system to home users.

Night Hacker Night Hacker said:

I'll stick to my AMD CPU and some common sense.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.