Call off the dogs--authentication solution already in enterprise-class PCs

The answer to many of our security problems could be found in chips that are used to store credentials and user certificates says Wave Systems CEO Steven Sprague.
Written by Steven K. Sprague,, Contributor
Commentary--While static passwords are still the most widely employed type of user authentication credential today, they are fast losing ground to stronger authentication solutions—driven by the proliferation of virtual private networks (VPNs), wireless local area networks (LANs) and the heightened awareness of compliance regulations imposed by state and federal governments. So will tomorrow’s PC users walk around with RFID chips planted under their skin? Will biometrics—once considered a panacea—continue along the adoption curve?

A more likely alternative is that enterprises will finally begin making the most out of the little silicon chips housed on the motherboards of the PCs they’ve already bought. A few years ago, major OEMs began shipping PCs with Trusted Platform Modules (TPM), security chips used to store credentials and user certificates. While the technology is only on enterprise-class PCs today, it is widely expected to be on all PCs shipped within the next year or so and could be here tomorrow.

Strong authentication of the user is achieved by leveraging the public key infrastructure (PKI) capabilities of the TPM and the ability of the TPM to create and hold a secret key that is unique to a specific chip. This key can only be used for authentication to the account if a PIN or password is provided to the TPM. This allows for strong, two-factor authentication—something I have (my laptop) and something I know (my PIN). This is the same type of authentication that is being done with pay by phone with my mobile phone.

PC standards have a legacy of dominating the market and creating interoperability and efficiency where it hadn’t existed before. Think of Ethernet or multimedia. How about optical storage or USB? These technologies are now part of the fabric of our lives and it would be hard for us to imagine a world without them. The fact is, they didn’t come to us pre-packaged because users were clamoring for them--they were delivered by the PC industry as a standard configuration from Microsoft and Intel. That’s how TPMs are arriving today; it’s only a matter of time before they’ll be on a billion PCs, ultimately finding their way into all devices, from phones and PDAs to video cameras.

The industry has taken the lead by mandating these tamper-resistant hardware chips capable of functioning as a tiny “lock box” for user credentials. And there’s clearly demand for the kind of strong authentication technology that could be deployed today.

But there’s another factor besides pent up demand for a better authentication solution and the industry’s role in deploying the standardized technology required—human behavior. Humans are really bad at authentication. We value ease of use. My cell phone doesn’t ask me who I am every time I walk by a cell tower. I log into my phone and my phone handles access to the service provider. The set top box on my television lets me change the channel from ESPN to MTV—no passwords required!

Now let’s go to cyberspace. While walking from one section of New York City to another, it’s easy to maintain a WiFi connection given the close proximity of so many Starbucks. But I need to log in every time to see a signal. My frustration is compounded each time my VPN dumps me, forcing me to reopen the connection. Then the Web page I am logged into dumps me so I have to log back in as well because I have a new IP address. So every block or two I’m required to start the whole process again, completely re-asserting who I am. The only thing my PC does is keep asking me for passwords, which every time I type one in the PC sends a copy to its new virtual friend it made yesterday.

So how will authentication work in the future? I will log into my device and my device will log me into everything. It will be that simple. Really. The day is close at hand when every Citi Bank customer will own a PC with a TPM and they’ll discover that users could have strong authentication with the bank from all of their own cyber devices. Once turned on (they probably already support PKI as a logon option today) then a criminal would have to steal a user’s computer in order to steal access to an account. That’s a far more formidable task than employing key-stroke logging software to steal user passwords today!

All authentication systems should be built and tested to use the millions of PCs that have a TPM. This will then provide a common component that can be integrated into all devices. The result is that the standard for strong authentication is a PKI challenge response. A billion systems will be using this mechanism for authentication within the next five to seven years. So if we take a chapter from the history books then there should be little debate about where things are headed. For example, there were endless discussions about network protocols in the early ‘90’s but then Ethernet was built into every PC and then—poof! Today, Ethernet is all there is. It’s global. Even some telcos are discussing using Ethernet in the core of the network.

The enterprise will lead the adoption of TPM. Full support for PKI is built into Microsoft Windows server and most of the networking technology is out there today. It will be either Internet Protocol security (IPsec) or 802.1x, the widely embraced wireless standard, but it will use hardware-based client-side certificates to authenticate the machine and the user. This can be deployed today! The adoption of NAC will ensure it is adopted over the next three to five years. There is no missing component required to make it happen. It will take time, these paradigm shifts always do, but the march to ubiquity is really inevitable. The question really is, “Are the systems IT is buying today compatible with the TPM and did their vendor supply them with good TPM documentation?”

Another important part of this discussion is the future of the local area network (LAN). In five years, the LAN will no longer exist. I think we are moving towards a strong authentication, policy-driven services access model. In other words, all users will be authenticated to the specific service they are trying to access when they access the service. No longer will we ask permission to get on the LAN and then roam freely. With all of our workers everywhere we should rely on this more granular access model rather than putting all of our trust in a VPN or some connection-driven model. Connections are so passé and they really don’t lend themselves to the new paradigm of computing that is based on multiple service providers. So what is the future?

• Federation is used to enroll new access to a new service
• Credentials are held in hardware on a TPM
• The user authenticates to the local machine and that machine manages his or her services relationships according to policy
• Applications will validate authentication and role when the user requests access.
• NAC will use machine authentication with client certificates to validate machines and health certificates
• Different applications may require different levels of assurance for specific services. (Think of this like the limits on your ATM withdrawal versus visiting the branch bank.)

All of the authentication technologies have a role to play, but the architecture will be one with the TPM as a backbone component. Most of the other authentication technologies are supporting characters in the play. Biometrics is a great way for me to authenticate to my machine. Implanted RFID chips would work, too. Smart cards and mobile phones will be mobile versions of my identity that I can present at other computers. So my Citibank account will recognize me when my PC logs in and then I can ask to enroll my phone and use a one-time password to enroll the related credential on my phone. Now both my PC and my phone can have similar access to my account. If I lose my phone then I could use my PC to report it stolen. The credentials would not be the same but the account would be the same.

Microsoft is embracing this direction. Windows 2008 server will be a killer application for the utilization of TPM. With better credential handling and built in NAP using IPSEC it is a natural to turn on the TPM and get real security for every enterprise. In addition, all of their devices use PKI, client and server products support TPM, and they are exploring service models. Compare the hardware security model of an Xbox to a PC. Compare the hardware security model of their IPTV to a PC. Both have a TPM-like security paradigm.

Finally, if every user has a TPM and then every TPM has a set of keys for that user we will have all of the subscriber management tools to eliminate user ID and password. It is not about subscribers in the concept of payment but in the concept of belonging. Only TPM will be ubiquitous across the domain of global users. Every doctor’s office will have PCs with a TPM. Every first responder will have a PC with a TPM. Every army will have TPMs. Every citizen will have a TPM. Why do I have to log in? We have seen this before at the height of dial-up. Someone, somewhere must have mused, “But everyone will have a browser, we don’t need to build a client application”

So what can you do today to be ready for this future? Turn on the TPM in all of your corporations’ machines and put the current access keys that are currently secured by the software of the operating system into the TPM. This is very easy to do and requires no additional user involvement. It dramatically enhances the security by eliminating the ability for bad users or bad software to make copies of keys. Finally, it puts the company in a position to have the most efficient and secure access to the information to make decisions.

Steven K. Sprague is the President and CEO of Wave Systems Corp., which provides software to help solve critical enterprise PC security challenges such as strong authentication, data protection, network access control and the management of these enterprise functions.

Editorial standards