We often hear that online identity protection is becoming more and more critical. But what exactly does that mean? Imagine a typical online banking scenario. Before the bank lets you in, they want to verify that you are really you. They do this by asking for a password. But what if your password was stolen? Phishing is a common attack, with about 50,000 new phishing sites going online every day. With password theft being such an issue, your bank can’t rely on passwords alone. In the USA, if someone gets into your bank account and steals your money, the bank is on the hook to replace it. But what if someone gets in your Facebook account and sends spam as you. Or if someone gets into your medical records and makes them public? No one can undo that damage.

 

Introduction.PNG

Therefore, adding a second factor for authentication, also known as two-factor authentication, can improve security and mitigate attacks that steal logins and passwords. To make it work, the system should be beyond what user knows (i.e. login and password) and incorporate it into the system what user has (e.g. One-Time Password token – aka OTP).

 

Enter identify protection. This is accomplished by adding a second factor for authentication, also known as two-factor authentication. Continuing with our example, the bank would ask for something you know (i.e. login and password) and incorporate something you have (e.g. One-Time Password token – aka OTP).

 

Obviously, giving something to the user is not an inexpensive approach, there are lots of logistics to deploy and maintain a solution like this. There are many technologies out there that can be used, one of cheapest method available is a token table, a rudimentary OTP challenge/response solution, where service provide besides login and password, request user to insert, for instance, the code 10 of his token table

 

TokenTableREAL.png

 

I can’t say that this method is ineffective, but of course has its limitations due to the nature of limited number of codes, easy to scan, etc.

 

Some banks use an OTP token, a six-digit code that is time-based, where you press the button and the token generates is valid for a period (i.e. usually 1 minute). As you can imagine, it’s not a cheap solution and it doesn’t scale from the user’s perspective. Take my own example where I have an account in two different banks and each one offered me these tokens… Can you imagine having one for each bank, one for Facebook, one for Twitter, one for Amazon, etc.. at the end I’ll carry dozen of these tokens or even more.

 

TokenUnibanco.png

 

Introducing Intel® Identity Protection Technology


Intel® Identity Protection Technology (IPT) uses the same principle as a hardware token (even the same algorithms). However, the main differences are that it is embedded in the chipset, can be used by multiple service providers, and it has the potential to use a time-based token (i.e., the token is valid for just 30 seconds) or a challenge/response mechanism. It means that the service provider can send a challenge to the token based on the fact that only the correct token can provide the right answer, proving the presence or possession of the token by the user.

 

Intel Identity Protection Technology is part of the 2nd generation Intel Core™ processors and latest release of Intel® vPro™ Technology – service providers can take advantage of this capability without additional costs related with physical tokens.

 

Of course, IPT can be used for consumers to protect their assets, but also to protect: employee’s remote connection, healthcare services, financial transaction and multiple SaaS application that are proliferating, can all benefit from this affordable protection.

 

There are couples of solutions out there using this technology, as Symantec/Verisign’s VIP authentication service and VASCO’s DIGIPASS… and more to come.