Skip to Content

Logging on with Hardware

Many users like using devices for authentication. But is it safe?
October 26, 2009

Valuable information is increasingly stored remotely, but it’s difficult to keep it safe without compromising convenience and accessibility for users. Last week, Uniloc, a company based in Irvine, CA, launched a product called EdgeID that promises to strengthen remote authentication by using consumers’ devices as keys.

Companies selling cloud services, and businesses offering remote access to employees, are becoming increasingly concerned about the security of remote access.

“Everything can go into the cloud, [but] the identity of the user connecting to the system has to stay at the edge,” says Paul Miller, Uniloc’s chief marketing officer. In other words, a user always has to access data by some physical means. Miller believes that making devices an integral part of authentication will help companies define harder boundaries around their networks.

EdgeID is part of a recent crop of authentication products that rely on automatically detecting additional information about users. Users seem to like the idea–a recent survey by the Ponemon Institute, a Michigan-based security research company, found that 70 percent of respondents would be willing to let online merchants use information about their computer hardware as part of the authentication system for an online purchase. And about 75 percent said they would prefer device authentication over passwords. However, some experts still question whether such schemes truly improve upon passwords, and whether they might be too inconvenient to catch on.

To use EdgeID, users must first register a device, such as a laptop or smartphone, by installing a small software program. The program collects about 100 pieces of information about the device, ranging from basic facts like the hard disk serial number to details that evolve through wear on the system, such as the locations of bad sectors on the hard drive. These details are then transferred to a central server, which also runs software from EdgeID.

When the user logs on via the registered device, the server communicates with the installed EdgeID software, asking it questions about the information that was collected, such as a particular digit in a serial number. The software keeps up a running conversation, making the system answer questions regularly to stay connected. However, because some information about the device will change with additional wear, the server tolerates some amount of error.

Uniloc leaves it up to a company running EdgeID to determine how to react to unregistered devices. A Web service may decide to lock out such devices completely, limit the actions that can be taken with them, or simply observe the change. Miller notes that users will be able to register new machines or report a machine lost or stolen.

Other products perform device authentication without installing software. For example, Threatmetrix, based in Los Altos, CA, gives customers code that can be embedded into Web pages. When a computer loads a tagged page, the system uses Flash and JavaScript to put together information about the user’s browser, operating system, and network characteristics. Threatmetrix can then check for irregularities, such as whether the machine is known to participate in a botnet, whether it’s accessing the system via multiple accounts, or whether it’s taking steps to obfuscate its location in the network.

But Rick Smith, an information-security consultant and expert on authentication, says it’s not clear how much device-authentication schemes add to overall security. The main problem, he says, is that device authentication could be hamstrung by efforts to accommodate traveling users, or others who might legitimately use unregistered devices. “The solutions exist,” Smith says. “The problem is, in every case, you have to add more mechanisms to make it work.”

A specific problem with third-party systems that seek to identify devices, he adds, is that the underlying operating system and hardware on those devices provide ways for attackers to fool the system. Smith notes that some authentication systems have been designed with cryptographic authentication modules in the operating system, or in hardware. He thinks that this approach would provide stronger security, though it might still pose problems for traveling users.

Others see device authentication as a good supplement to passwords. Larry Ponemon, chairman and founder of the Ponemon Institute, says that he expects device authentication to go through “a natural process of adoption, testing, modification, and refinement,” but that it “holds a great deal of promise to address an area of real concern to the consumer.”

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.