Valuable information is increasingly stored remotely, but it’s difficult to keep it safe without compromising convenience and accessibility for users. Last week, Uniloc, a company based in Irvine, CA, launched a product called EdgeID that promises to strengthen remote authentication by using consumers’ devices as keys.
Companies selling cloud services, and businesses offering remote access to employees, are becoming increasingly concerned about the security of remote access.
“Everything can go into the cloud, [but] the identity of the user connecting to the system has to stay at the edge,” says Paul Miller, Uniloc’s chief marketing officer. In other words, a user always has to access data by some physical means. Miller believes that making devices an integral part of authentication will help companies define harder boundaries around their networks.
EdgeID is part of a recent crop of authentication products that rely on automatically detecting additional information about users. Users seem to like the idea–a recent survey by the Ponemon Institute, a Michigan-based security research company, found that 70 percent of respondents would be willing to let online merchants use information about their computer hardware as part of the authentication system for an online purchase. And about 75 percent said they would prefer device authentication over passwords. However, some experts still question whether such schemes truly improve upon passwords, and whether they might be too inconvenient to catch on.
To use EdgeID, users must first register a device, such as a laptop or smartphone, by installing a small software program. The program collects about 100 pieces of information about the device, ranging from basic facts like the hard disk serial number to details that evolve through wear on the system, such as the locations of bad sectors on the hard drive. These details are then transferred to a central server, which also runs software from EdgeID.
When the user logs on via the registered device, the server communicates with the installed EdgeID software, asking it questions about the information that was collected, such as a particular digit in a serial number. The software keeps up a running conversation, making the system answer questions regularly to stay connected. However, because some information about the device will change with additional wear, the server tolerates some amount of error.
Uniloc leaves it up to a company running EdgeID to determine how to react to unregistered devices. A Web service may decide to lock out such devices completely, limit the actions that can be taken with them, or simply observe the change. Miller notes that users will be able to register new machines or report a machine lost or stolen.