When you look closely at the numerous public breaches that have happened over the past 18 months, you realize that many of the attacks focused on stealing the credentials of users. It is time for IT organizations to take a fresh look at the new multi-factor authentication (MFA) options that are coming with Intel hardware and the Windows operating system.
It is widely accepted that a username and password are not strong enough security. IT shops will also deploy a PKI (Public Key Infrastructure) certificate to secure the client. However, those PKI certificates are stored “in the clear” on the workstation. We need to look at how to implement a stronger identity management environment by using MFA and a secure storage mechanism.
Let’s start with the storage of security credentials/keys. A Trusted Platform Module (TPM) can be used for this. For Intel processors there are a couple of different ways to implement the security storage area, so for simplicity, we’ll just refer to it as the “security engine”. Using PKI as an example, instead of storing the PKI certificate in the OS where hackers can gain access, you can store it in the security engine where hackers have no access. Intel is working with the software ecosystem to deliver a trusted environment where multiple user-identity factors can be securely stored in hardware. You can utilize factors such as One Time Passwords (OTP), PKI, or even biometric information to create your multi-factor environment.
An example of an MFA environment would be how Intel is enabling an automated login process based on proximity, whereby the user would use Bluetooth on their smartphone to let their PC/tablet know they are nearby. The user would log into their PC at the beginning of the day by entering their typical password, but the system will also require a second authentication factor, in this case a Bluetooth-connected device like a smartphone. IT policy may require the smartphone to use a PIN for the second factor. When the user walks away from the PC with their smartphone, the PC would detect that the user absence and automatically lock. Upon return, the PC detects the presence of the smartphone and automatically unlocks or unlocks with a PIN from the smartphone. This use case will be delivered in the coming months, along with other innovative ways to utilize multiple authentication factors.
Intel is working closely with Microsoft to improve credential management on Windows 10, so users will be able to utilize MFA to deliver a more secure identity management system.
With built-in MFA in the hardware and operating system, IT professionals can seriously look at how they’ll implement a higher security standard to prevent thieves from stealing information via user credentials. Of course this won’t solve all every problem, but will certainly make it harder on unauthorized users to gain access to personal and company information.