Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/14/2011
07:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Baking Strong Authentication Into Client Devices

MasterCard, Symantec's VeriSign VIP support new Intel Core two-factor authentication technology

MasterCard today became the latest company to employ Intel's Identity Protection Technology (IPT) -- which basically converts a laptop or client device into a second factor of authentication -- for online commerce.

Intel this summer began shipping its IPT technology built into its second-generation Core microprocessors, the commercial Core, and Core VPro, and the technology is gaining traction from some big names. Aside from the credit-card giant, Symantec supports IPT in its cloud-based VIP service, and Intel says it's also wooing social networks to also adopt IPT for two-factor authentication.

IPT embeds a one-time password token into the chipset, says Jennifer Gilburg, marketing director for the authentication technology unit at Intel. The idea was to embed credentials for better security and usability for end users, she says.

MasterCard will support IPT-enabled client machines, which include Intel's Ultrabook and machines from HP, Lenovo, and Dell that run on the new IPT-based second-generation Core processors. The credit-card giant and Intel also will work together as part of this multiyear agreement on PayPass, MasterCard's wireless payment method that doesn't involve swiping magnetic strips on payment cards at the point of sale. Ultimately, consumers could pay online with a tap of their PayPass-enabled smartphones or Ultrabooks, for example, according to the companies.

“MasterCard is constantly working to improve the shopping experience for consumers and merchants,” said Ed McLaughlin, chief emerging payments officer at MasterCard. “The collaboration with Intel will deliver enhanced security and faster checkout -- with the convenience of a simple click or tap.”

Two-factor authentication has long been lauded as a way to enhance the notoriously vulnerable traditional username and password. While the technology has been deployed in vertical industries, such as online banking, and within sensitive businesses and government computing environments, reliance on hardware-based tokens is relatively expensive and, in some cases, a kludgy approach for mainstream organizations and consumers. Meanwhile, two-factor authentication that employs users' existing technology, especially smartphones, is starting to emerge as a more viable option, especially for cash-strapped consumers.

Intel's Gilburg says IPT allows partners with back-end authentication engines, such as Symantec, to provision a token to the IPT two-factor authentication. "The user [visits] the website, which is aware that they have IPT enabled through Java code and the user is invited to 'opt in.' When they do, every time they log onto that site, a [six-digit], one-time password is generated," she says. And all the user needs to know is his or her first-level username and password.

Symantec's VeriSign VIP service, which is used by major websites such as PayPal and eBay, is a cloud-based authentication service. "Those organizations with hardware tokens, for example, have an in-premise server they have to deploy. With our service, you don't because the authentication lives in the cloud," says Brendon Wilson, senior product marketing manager for user authentication at Symantec. "It makes it faster and easier to deploy and maintain. And it drives down the total cost of ownership" of two-factor authentication, he says, noting that VIP also supports hardware tokens.

But Intel's IPT is a different twist on the hardware token. "It transforms the laptop into the second factor of authentication," Wilson says. "The shared secret is stored securely in the Intel software."

One advantage to mobile tokens like IPT is they can be easily revoked and reprovisioned. "You do that over the air in minutes versus months" like it takes with hardware tokens, Intel's Gilburg says.

IPT depends on these high-profile e-commerce sites' adoption. Intel also bundles a plug-in for IPT for browsers.

IPT basically enables the "plumbing" for authentication, says Eve Maler, principal analyst with Forrester Research.

Maler says that, in reality, most multifactor authentication methods in online banking or other secure sites no longer use passwords the way you'd think. "It's serving as a quick way to determine what user they are dealing with so they can launch another method of authentication," Maler says. "They are silently observing the transaction context and sniffing out anything that seems funny about it … if it's from a weird IP, [for example], then they spring into action and provide a stronger authentication experience, like sending a one-time password to your phone, or asking challenge questions."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-21831
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
CVE-2020-21842
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.