informa
News

Baking Strong Authentication Into Client Devices

MasterCard, Symantec's VeriSign VIP support new Intel Core two-factor authentication technology
MasterCard today became the latest company to employ Intel's Identity Protection Technology (IPT) -- which basically converts a laptop or client device into a second factor of authentication -- for online commerce.

Intel this summer began shipping its IPT technology built into its second-generation Core microprocessors, the commercial Core, and Core VPro, and the technology is gaining traction from some big names. Aside from the credit-card giant, Symantec supports IPT in its cloud-based VIP service, and Intel says it's also wooing social networks to also adopt IPT for two-factor authentication.

IPT embeds a one-time password token into the chipset, says Jennifer Gilburg, marketing director for the authentication technology unit at Intel. The idea was to embed credentials for better security and usability for end users, she says.

MasterCard will support IPT-enabled client machines, which include Intel's Ultrabook and machines from HP, Lenovo, and Dell that run on the new IPT-based second-generation Core processors. The credit-card giant and Intel also will work together as part of this multiyear agreement on PayPass, MasterCard's wireless payment method that doesn't involve swiping magnetic strips on payment cards at the point of sale. Ultimately, consumers could pay online with a tap of their PayPass-enabled smartphones or Ultrabooks, for example, according to the companies.

“MasterCard is constantly working to improve the shopping experience for consumers and merchants,” said Ed McLaughlin, chief emerging payments officer at MasterCard. “The collaboration with Intel will deliver enhanced security and faster checkout -- with the convenience of a simple click or tap.”

Two-factor authentication has long been lauded as a way to enhance the notoriously vulnerable traditional username and password. While the technology has been deployed in vertical industries, such as online banking, and within sensitive businesses and government computing environments, reliance on hardware-based tokens is relatively expensive and, in some cases, a kludgy approach for mainstream organizations and consumers. Meanwhile, two-factor authentication that employs users' existing technology, especially smartphones, is starting to emerge as a more viable option, especially for cash-strapped consumers.

Intel's Gilburg says IPT allows partners with back-end authentication engines, such as Symantec, to provision a token to the IPT two-factor authentication. "The user [visits] the website, which is aware that they have IPT enabled through Java code and the user is invited to 'opt in.' When they do, every time they log onto that site, a [six-digit], one-time password is generated," she says. And all the user needs to know is his or her first-level username and password.

Symantec's VeriSign VIP service, which is used by major websites such as PayPal and eBay, is a cloud-based authentication service. "Those organizations with hardware tokens, for example, have an in-premise server they have to deploy. With our service, you don't because the authentication lives in the cloud," says Brendon Wilson, senior product marketing manager for user authentication at Symantec. "It makes it faster and easier to deploy and maintain. And it drives down the total cost of ownership" of two-factor authentication, he says, noting that VIP also supports hardware tokens.

But Intel's IPT is a different twist on the hardware token. "It transforms the laptop into the second factor of authentication," Wilson says. "The shared secret is stored securely in the Intel software."

One advantage to mobile tokens like IPT is they can be easily revoked and reprovisioned. "You do that over the air in minutes versus months" like it takes with hardware tokens, Intel's Gilburg says.

IPT depends on these high-profile e-commerce sites' adoption. Intel also bundles a plug-in for IPT for browsers.

IPT basically enables the "plumbing" for authentication, says Eve Maler, principal analyst with Forrester Research.

Maler says that, in reality, most multifactor authentication methods in online banking or other secure sites no longer use passwords the way you'd think. "It's serving as a quick way to determine what user they are dealing with so they can launch another method of authentication," Maler says. "They are silently observing the transaction context and sniffing out anything that seems funny about it … if it's from a weird IP, [for example], then they spring into action and provide a stronger authentication experience, like sending a one-time password to your phone, or asking challenge questions."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: