The Schwartz Report

Blog archive

Q&A: Why Intel Authenticate Will Bolster PC Security

Intel is rolling out multifactor authentication (MFA) technology that will work in any new PC equipped with its 6th Generation Core processors, code-named "Skylake." Tom Garrison, VP and general manager of Intel's Business Client Products, recently outlined new MFA technology called Intel Authenticate. Garrison announced Intel Authenticate, which is available in preview now, during a late January press conference. Following the press conference Garrison fielded our questions about the new technology and how it will work with Microsoft later this year to deliver and promote Intel Authenticate and the two companies' respective security capabilities. Also see the March Redmond magazine cover story about Intel Authenticate, which includes analysis and industry reaction.

Q: Can you talk about some of the co-marketing and joint development work you'll be doing with Microsoft?
A: Whenever we have new processors with new capabilities, we've got deep engineering engagement between the two companies. As they have either OS features or us with hardware features, we work collaboratively in that sense. That's the same way we're going with Authenticate. Our engagement right now has been very much focused on making sure that Authenticate [works] seamlessly with Windows 10, as well as Windows 7 and Windows 8.1. Longer term, from an Intel perspective, our goal is that Windows authentication will use the security capabilities that are built into the 6th Generation platforms and beyond. So, for example, if Windows 10 or whatever version of Windows 10 that the user is running on a 6th Generation platform, we would like the operating system to be able to know that it's talking to a machine that has hardened multifactor authentication capability and log in using that. It raises the level of trust of the platform. In the cases where the machine isn't capable of that -- maybe it's an older platform or it's a different architecture -- then it would log in with whatever capability the machine has. And in that case, it would be less secure than what we are providing with our machine, but then that would give choice to the IT decision makers who are buying the platforms. Longer term that's what we're working toward with Microsoft.

From an engineering perspective, we're absolutely engaged between our platform teams and we have security-focused individuals, as does Microsoft. There's no agreement on when we'd be able to do that, or if we will do that, but that is certainly our goal. It's beyond security, even. Our goal is always that we want the operating system to be able to take advantage of the capabilities that are in the hardware, and this is another example of that. So we want to make sure if we have a feature, like Authenticate, that the operating system can take advantage of it, and the user gets the value, in this case the value being a more secure security posture for the endpoint.

Microsoft points to some of the security features it has including Passport and Hello, Azure Active Directory, BitLocker and its enterprise data protection DeviceGuard capabilities. Do any of those conflict, or compete, with what Intel is doing with Authenticate?
Some of them are completely unrelated, but, for example, with Hello versus Authenticate, Microsoft will give you a set of choices of which factors to use. And those factors -- you can use face, a password and [others] -- but their implementation is based on what we call a software implementation, so it's visible at the software level and, therefore, you could be exposed to certain classes of attacks in that case. Even older platforms, username and password, we know there are lots of attacks worldwide. I think the estimate -- if I remember correctly -- is 117,000 attacks every day on corporations. There are lots of attacks and almost all of those are software-based attacks. So when you use something like Hello, it is certainly better than the simple username and password solution, but what [Intel] Authenticate does is it builds even more. And so it's hardened multifactor authentication. So it puts it in hardware. What we're providing is an even better security capability because it's rooted in hardware and, therefore, all the software classes of attack like simple phishing techniques or key-loggers, or screen scrapers, those kind of more traditional attacks will not work with Authenticate, because the credentials themselves are all stored in hardware. There are other classes of attacks where the credentials are actually removed from the PC when they're stored in the software layer. All of those classes of attacks are thwarted with Authenticate, but again, IT can make the choice for large businesses. They can choose which level of security they want to have. Traditional, old username password is probably the least secure. Windows Hello improves that with its facial login and some of the other attributes [being added]. And then Authenticate, we believe, is the level businesses should be looking to deploy to give the best security posture possible for their client endpoints.

At the [January press] briefing, you mentioned that Windows Hello "trains" Authenticate. Can you elaborate on what happens there and whether that was jointly engineered with Microsoft or if you just engineered that capability?
When you train the PC -- say your fingerprint as an example – it's called enrollment. The partnership we have with Microsoft is very broad. We know how the enrollment works and our goal is obviously from a user-experience standpoint, to make sure that the experience is positive for the people that are using Authenticate so they don't have to have multiple enrollments. They can do it once and use it in a Windows 10 context or in an Authenticate context.

Where do you see broadening the integration or these capabilities?
I think the most obvious ones, at least the ones we're talking about right now, we'll continue to add authentication factors. Today you'll see machines with integrated fingerprint solutions, for example from Lenovo -- Lenovo has a hardened fingerprint solution that takes advantage of Intel Authenticate today built-in with a hardened factor. You'll see Authenticate can also be used for what we call soft factors: these are factors that have some element that the factor is visible to the operating system, invisible to software. If, for whatever reason, there is a particular class of a factor that an IT shop really wants, Authenticate is flexible enough that you can use any of those as part of your decision criteria. And obviously from our perspective, the more you can choose hardened factors, each of those individual factors is more robust and less likely to be compromised. But over time, you'll see more factors come in from us. We'll be adding things like hardened facial login. You'll see other biometrics come in from other OEMs, I can't discuss the details, but suffice to say, there will be other biometrics coming in. And then, over time, we will be expanding just beyond identity, which is what we're today focused on with Authenticate. But our strategy is to build upon the security capabilities of the PC, to be able to add capabilities in it with data protection being an example of an area where we can add more capability that significantly improves the protection of data -- in motion or at rest -- on a PC.

You're referring to encryption?
It is encryption, but it's encryption that would allow data to be stored certainly on the PC. For example, if you were going to share information between one PC and another, you can do that in a more secure fashion, and then if your PC was somehow compromised through whatever class of attack, and the information was removed from your PC, that information would be fully encrypted and basically useless to whoever was trying to take advantage of it. Those are capabilities that are coming but we're not talking a lot about it because those are things coming. But It also is about how it interacts with how you would store data either on your PC or off your PC, as well. It's exciting stuff, and my point of raising this is that what we're doing with Authenticate right now is exciting, it hits the major classes of attacks, more than half of attacks are related to stolen or misused credentials. That's why we focused on identity first. And we have a plan to innovate around the broader term of security of the platform beyond identity in subsequent platforms. As we continue to improve identity, we'll add capabilities beyond identity such as data protection, for example.

Trusted Platform Module (TPM), although it has been around for a while, has never gotten broad adoption. Is it possible Authenticate is ending up in the same type of scenario or do you anticipate it will be more broadly adopted?
Our goal is that it's more broadly adopted. I think TPM, in general, is an example of an interesting technology that wasn't, what I would say, broadly adopted. The reason I think [that] is the use cases of TPM were relatively limited. What we are trying to do with Authenticate is focus on a use case and a threat that is a broad exposure. And a use case that's done every single day multiple times a day. We are making the overall experience positive from a user standpoint. TPM is a solution that delivers a higher level of trust, but it's primarily the user who doesn't really care about it. It's the IT organization that would care about it. With Authenticate, you're getting the value of a more trusted machine, which is what the IT shop would care about. And, you're getting a better user experience because to the user it'll look like they don't have any more passwords. They don't need to remember complex passwords that are changing every 30 to 60 days. It's delivering that double value.

From an authentication standpoint, you're a member of the FIDO Alliance. At what point will Authenticate will be FIDO-compliant?
Microsoft is obviously taking a leadership role there. We're working very closely with them so that everything that we're doing with Authenticate in terms of the various factors and so forth that we're enabling are all FIDO-compliant. We are working very closely with Microsoft to make sure that's the case.

I know it's difficult to promise an exact timeline but do you have any sense? Is it going to be a year from now before it's FIDO-compliant?
It's still evolving so it's impossible to forecast.

Once that's achieved, do you think that will be a key impetus in the broad adoption of this technology?
I think it's important, I don't think people are saying, "I'm not going to do anything until I know this is FIDO-compliant." The FIDO element is an important aspect when it comes to the overall industry and how you coordinate and drive the industry forward when it comes to security, so that's important, and that's why we want to make sure that we're compliant in that regard. But I don't perceive any sort of waiting by customers to hear what comes out of FIDO 2.0, before they want to take action. I think as long as they know that companies like Intel and Microsoft are working together and our plan and our strategy is to continue to engage and be part of that FIDO 2.0 consortium, and be compliant with it, that's fine, that's all they need to know.

Can you elaborate on Intel Authenticate's support for System Center and Active Directory?
We want to make sure with Authenticate you don't need to have a new set of tools to enable Authenticate. And so we have provided plug-ins to go into McAfee EPO, or Microsoft System Center Configuration Manager [SCCM] and so with those plug-ins, whatever you're using, whether it's SCCM or Active Directory or EPO, the tools that you're used to using you don't need to learn new tools. Through those plug-ins you now have the ability to do the policy-based management of your fleet. So, for example, if you want to say all 6th Generation platforms, in order to log in, we want you to have a Bluetooth-enabled trusted phone, and also a fingerprint solution, you can do that in a policy-based way with whatever tool you use, whether that's EPO or Active Directory or SCCM.

How do third-party authentication tools from companies like RSA fit into Authenticate. Are you competing with them or do you see integrating with them?
No, we're actually working with them. I can't speak specifically about RSA, but in general we've been working with them. They're very interested in Authenticate because one of the limitations with some of those other solutions, for example hardware tokens, those tokens are a pain-point for their customers, because of lost tokens or just the cost of having to replace them or resynchronize those tokens.

Given the credentials are stored in the hardware, can you describe what happens on the hardware?
Within our chipset, we have a management engine. Within that management engine, it does lots of different functions. For example, that management engine does the capabilities we have around vPro. So you can do out-of-band management when the operating system isn't available, or you want to do some sort of patching or things that are outside the operating system. That's where vPro's capabilities are rooted in this management engine. But also on that same management engine with Authenticate, we have the ability to store credentials. We also have the ability to put the IT policy engine there. So when IT decides, "I want to have a person use a Bluetooth phone and a fingerprint to login," that's a policy decision and they can make those policies, which are all stored in hardware. Also the actual biometric information itself is stored there. Which was super critical to have it trusted and protected to the highest level possible. The combination of those three things, the biometric information, the security credentials and the IT policy engine, are all stored in this management engine and this management engine is what does the work of Authenticate. So based on the information that it has to work with, whether it's the biometric information, the policy engine and so forth, it will decide whether or not to issue the certificate. Those are all decisions that are handled there in the management engine.

It's below the operating system so none of that information is stored in any way that would be available to hackers to somehow compromise, steal and remove from the PC. Because it's in hardware it's below the level of the operating system, it's below the drivers and any other applications software. None of those can see into the hardware space, which gives a much higher level of security and trust.

Posted by Jeffrey Schwartz on 02/26/2016 at 1:16 PM


Featured

comments powered by Disqus

Subscribe on YouTube