Internet Passwords Should Be Moved To A Science Museum


Dark Reading recently published an interesting perspective from the esteemed Dr. Taher Elgamal on “silent authentication” services, which offer us the potential for single-password access to our multiple online user accounts.

Elgamal, who invented the Secure Sockets Layer (SSL) cryptographic protocol that provided early security over the Internet, recalls the “old days” of just a few decades ago when we simply logged onto the Internet once and accessed its many resources.

Today, by contrast, we must instead remember multiple credentials in order to access different accounts with Amazon or Netflix, as well as our banking, investment or bill pay services. This inconvenience has spawned several online services that allow users to access participating websites through a single log in.

Elgamal improves on this by suggesting that the Internet “remember” a user’s login. That way, sites can embed an interface to an Internet service that confirms a user on a particular device is the same user who always signs on from that device.

I’m all for convenience , but it’s possible to do Dr. Elgamal’s suggestion one better and recommend an approach wherein the user’s device becomes a multiuse, multifactor token. This authentication framework is already embedded on more than 600 million PCs today in the form of the Trusted Platform Module (TPM).

The TPM can hold not one but dozens if not hundreds of discrete silent authentication credentials in tamper-resistant hardware. That means every site could be assigned its own credential – all accessed through a single device with a single password.

There are different models in which this approach may be applied. In one, nothing is required of the user; when asked, the TPM simply provides an authentication ceremony. Alternatively, a PIN might be required every time a website requests an authentication ceremony. A third model might require entry of the PIN only once – when the machine is turned on.

This is all far simpler than relying on an Internet authentication service to serve as middleman, and far more private. It’s far easier for users to trust their device than an online service that says, “We know everything you do every day, but we are trustworthy.”

The future of authentication is that we’ll log into a device, which will then securely and privately log us into everything. In this future, when we register a service to one device, all of our devices will add the same key. With at least $2 billion already invested in the TPM’s open-industry standard, trusted computing has already built a very solid foundation to achieve this goal. But there is still work to do.

Although TPMs are onboard the majority of PCs today, they largely remain an untapped model for authentication on Internet sites. It is time for major online providers such as Google, CITI and Facebook to consider the power of TPMs as an authentication method. Perhaps 600 million secure customers are not enough for them. Meanwhile, as both the mobile industry and consumer devices are adding TPMs, I am sure that someone will unlock the value of a billion happy customers.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Since taking the helm as CEO in 2000, Steven Sprague has played an integral role driving the industry transition to embed stronger, hardware-based security into the PC. He holds executive responsibility for all operations within Wave. During his time as CEO he has guided Wave to a position of market leadership in enterprise management of self-encrypting hard drives and Trusted Platform Module security chips. As a popular speaker and IT security thought leader, Steven speaks at dozens of conferences and events each year—educating global audiences about the latest PC hardware security advancements and industry standards (both on behalf of Wave, and in his leadership role with the Trusted Computing Group). His expertise lies in leveraging advancements in hardware security for strong authentication, data protection, advanced password management, enterprise-wide trust management services and more. Steven earned a BS from Cornell University in 1987.