Logging on with Hardware
Many users like using devices for authentication. But is it safe?
Valuable information is increasingly stored remotely, but it’s difficult to keep it safe without compromising convenience and accessibility for users. Last week, Uniloc, a company based in Irvine, CA, launched a product called EdgeID that promises to strengthen remote authentication by using consumers’ devices as keys.
Companies selling cloud services, and businesses offering remote access to employees, are becoming increasingly concerned about the security of remote access.
“Everything can go into the cloud, [but] the identity of the user connecting to the system has to stay at the edge,” says Paul Miller, Uniloc’s chief marketing officer. In other words, a user always has to access data by some physical means. Miller believes that making devices an integral part of authentication will help companies define harder boundaries around their networks.
EdgeID is part of a recent crop of authentication products that rely on automatically detecting additional information about users. Users seem to like the idea–a recent survey by the Ponemon Institute, a Michigan-based security research company, found that 70 percent of respondents would be willing to let online merchants use information about their computer hardware as part of the authentication system for an online purchase. And about 75 percent said they would prefer device authentication over passwords. However, some experts still question whether such schemes truly improve upon passwords, and whether they might be too inconvenient to catch on.
To use EdgeID, users must first register a device, such as a laptop or smartphone, by installing a small software program. The program collects about 100 pieces of information about the device, ranging from basic facts like the hard disk serial number to details that evolve through wear on the system, such as the locations of bad sectors on the hard drive. These details are then transferred to a central server, which also runs software from EdgeID.
When the user logs on via the registered device, the server communicates with the installed EdgeID software, asking it questions about the information that was collected, such as a particular digit in a serial number. The software keeps up a running conversation, making the system answer questions regularly to stay connected. However, because some information about the device will change with additional wear, the server tolerates some amount of error.
Uniloc leaves it up to a company running EdgeID to determine how to react to unregistered devices. A Web service may decide to lock out such devices completely, limit the actions that can be taken with them, or simply observe the change. Miller notes that users will be able to register new machines or report a machine lost or stolen.
But Rick Smith, an information-security consultant and expert on authentication, says it’s not clear how much device-authentication schemes add to overall security. The main problem, he says, is that device authentication could be hamstrung by efforts to accommodate traveling users, or others who might legitimately use unregistered devices. “The solutions exist,” Smith says. “The problem is, in every case, you have to add more mechanisms to make it work.”
A specific problem with third-party systems that seek to identify devices, he adds, is that the underlying operating system and hardware on those devices provide ways for attackers to fool the system. Smith notes that some authentication systems have been designed with cryptographic authentication modules in the operating system, or in hardware. He thinks that this approach would provide stronger security, though it might still pose problems for traveling users.
Others see device authentication as a good supplement to passwords. Larry Ponemon, chairman and founder of the Ponemon Institute, says that he expects device authentication to go through “a natural process of adoption, testing, modification, and refinement,” but that it “holds a great deal of promise to address an area of real concern to the consumer.”