Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/14/2011
07:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Baking Strong Authentication Into Client Devices

MasterCard, Symantec's VeriSign VIP support new Intel Core two-factor authentication technology

MasterCard today became the latest company to employ Intel's Identity Protection Technology (IPT) -- which basically converts a laptop or client device into a second factor of authentication -- for online commerce.

Intel this summer began shipping its IPT technology built into its second-generation Core microprocessors, the commercial Core, and Core VPro, and the technology is gaining traction from some big names. Aside from the credit-card giant, Symantec supports IPT in its cloud-based VIP service, and Intel says it's also wooing social networks to also adopt IPT for two-factor authentication.

IPT embeds a one-time password token into the chipset, says Jennifer Gilburg, marketing director for the authentication technology unit at Intel. The idea was to embed credentials for better security and usability for end users, she says.

MasterCard will support IPT-enabled client machines, which include Intel's Ultrabook and machines from HP, Lenovo, and Dell that run on the new IPT-based second-generation Core processors. The credit-card giant and Intel also will work together as part of this multiyear agreement on PayPass, MasterCard's wireless payment method that doesn't involve swiping magnetic strips on payment cards at the point of sale. Ultimately, consumers could pay online with a tap of their PayPass-enabled smartphones or Ultrabooks, for example, according to the companies.

“MasterCard is constantly working to improve the shopping experience for consumers and merchants,” said Ed McLaughlin, chief emerging payments officer at MasterCard. “The collaboration with Intel will deliver enhanced security and faster checkout -- with the convenience of a simple click or tap.”

Two-factor authentication has long been lauded as a way to enhance the notoriously vulnerable traditional username and password. While the technology has been deployed in vertical industries, such as online banking, and within sensitive businesses and government computing environments, reliance on hardware-based tokens is relatively expensive and, in some cases, a kludgy approach for mainstream organizations and consumers. Meanwhile, two-factor authentication that employs users' existing technology, especially smartphones, is starting to emerge as a more viable option, especially for cash-strapped consumers.

Intel's Gilburg says IPT allows partners with back-end authentication engines, such as Symantec, to provision a token to the IPT two-factor authentication. "The user [visits] the website, which is aware that they have IPT enabled through Java code and the user is invited to 'opt in.' When they do, every time they log onto that site, a [six-digit], one-time password is generated," she says. And all the user needs to know is his or her first-level username and password.

Symantec's VeriSign VIP service, which is used by major websites such as PayPal and eBay, is a cloud-based authentication service. "Those organizations with hardware tokens, for example, have an in-premise server they have to deploy. With our service, you don't because the authentication lives in the cloud," says Brendon Wilson, senior product marketing manager for user authentication at Symantec. "It makes it faster and easier to deploy and maintain. And it drives down the total cost of ownership" of two-factor authentication, he says, noting that VIP also supports hardware tokens.

But Intel's IPT is a different twist on the hardware token. "It transforms the laptop into the second factor of authentication," Wilson says. "The shared secret is stored securely in the Intel software."

One advantage to mobile tokens like IPT is they can be easily revoked and reprovisioned. "You do that over the air in minutes versus months" like it takes with hardware tokens, Intel's Gilburg says.

IPT depends on these high-profile e-commerce sites' adoption. Intel also bundles a plug-in for IPT for browsers.

IPT basically enables the "plumbing" for authentication, says Eve Maler, principal analyst with Forrester Research.

Maler says that, in reality, most multifactor authentication methods in online banking or other secure sites no longer use passwords the way you'd think. "It's serving as a quick way to determine what user they are dealing with so they can launch another method of authentication," Maler says. "They are silently observing the transaction context and sniffing out anything that seems funny about it … if it's from a weird IP, [for example], then they spring into action and provide a stronger authentication experience, like sending a one-time password to your phone, or asking challenge questions."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4564
PUBLISHED: 2020-10-20
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 and IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially lea...
CVE-2020-4748
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188517.
CVE-2020-4749
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through 5.0.5.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link ...
CVE-2020-4755
PUBLISHED: 2020-10-20
IBM Spectrum Scale 5.0.0 through 5.0.5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188595.
CVE-2020-4756
PUBLISHED: 2020-10-20
IBM Spectrum Scale V4.2.0.0 through V4.2.3.23 and V5.0.0.0 through V5.0.5.2 as well as IBM Elastic Storage System 6.0.0 through 6.0.1.0 could allow a local attacker to invoke a subset of ioctls on the device with invalid arguments that could crash the keneral and cause a denial of service. IBM X-For...