The Channel logo

News

By | Chris Williams 20th January 2016 08:22

Inside Intel's CPU-level multi-factor auth (and why we've got deja vu)

Password? All you need is your phone, fingerprint, PIN, mother's maiden name ...

Analysis Intel has baked multi-factor authentication defenses into its sixth-generation Core processors.

On Tuesday, the California chip giant sprung this news on the world, revealing what it seemed to be saying was a really big secret: all this time, the sixth-gen Core family, launched in September, has had brand-spanking new multi-factor authentication support, and no one knew? Blow me down with a feather.

However, the technology appears to be an extension to various security mechanisms Intel has been eking out for years.

The multi-factor authentication – dubbed Intel Authenticate – hopes to do away, in part, with passwords, and is aimed at businesses, large and small. Right down at the firmware layer, the chipset stores policies and authentication data that are supposed to be safe from hackers.

Authentication data could, for example, be the user's fingerprint, or a PIN. A policy could, for example, state that a recognized work-issued smartphone within close range of the machine, plus the entry of a correct PIN, is enough to log into the device. The policy could add that if the machine is not connected to a corporate network, then a smartphone within range, a valid PIN, and a valid fingerprint, read from a builtin sensor, is needed to unlock the computer.

So, if you're using a laptop in the office on the corporate Wi-Fi, with your phone on the desktop within Bluetooth range, all you need to do is type in a PIN to log back into the PC. If you're in a cafe at the weekend, you'll need to provide a fingerprint to make sure you're not a thief.

"Intel Authenticate embeds multi-factor authentication into hardware in the platform architecture," said Thomas Garrison, a vice president in Intel's client computing group.

"By doing so, the most common software based attacks that steal user credentials through viruses or malware are rendered ineffective. Intel delivers a secure PIN, a Bluetooth proximity factor with your Android or iPhone, a logical location factor with vPro systems, and fingerprint biometrics."

The operating system – so far Windows 7, 8 and 10 support Intel Authenticate – has to communicate with the firmware to get the yes or no confirmation for allowing the login. The OS isn't supposed to see the fingerprint or the PIN, so it can't be stolen by code running inside the kernel or in user space.

If you can't login – such as you lose your phone – you can optionally fall back to a password. It's supposed to help employees who are bad at remembering complex passwords, and IT support desks who have to do daily resets for people.

Under the hood

Intel Authenticate uses two firmware-level systems that give security researchers and privacy activists the heebie-jeebies: Intel's Management Engine (ME), and Intel's Active Management Technology (AMT). Both of these have been around for years, work below the operating system, and are mostly invisible to the layers of software above them. They are supposed to allow sysadmins to control machines remotely, but offer other features. AMT, for example, provides the network location detection used by Intel Authenticate.

The Management Engine built into the motherboard chipset provides the secure memory area for storing policies and the user's authentication data, which aren't allowed to leave the secure area nor allowed to be tampered with unless you've got the right privileges. This is supposed to stop miscreants from setting lax policies or swiping people's login details.

This is why you need a firmware download to activate Intel Authenticate; the software runs only on vPro editions of Intel's new sixth-gen Core CPUs, aka the Skylake family. The Skylake vPro parts were announced this week.

This whole system appears to be an iteration of the two-factor authentication methods we've seen before in Chipzilla's business-friendly chips, such as the 2011 Sandy Bridge vPro parts, and the Broadwell vPro family in 2015. Back then, it was known as Intel Identity Protection, which provides support for two-factor authentication, such as logging in with a username, password and hardware token, or a username, password and one-time code sent to a smartphone.

Now, Intel's added Bluetooth and fingerprint-reader support, made it a bit more user-friendly, thrown in PIN codes, and voila. It might explain why these two press releases on the vPro series, a year apart, seem so similar.

We just hope nothing compromises the ME at the heart of Intel Authenticate, nor the operating system to bypass the mechanism. Authenticate is a tool for IT admins more than anything else, rather than a total protection from hackers.

Intel Authenticate is in preview mode: customers are invited to contact Intel so they can be helped through the process of installing the necessary middleware and firmware to use it. Chad Constant, Intel's director of business client marketing, told El Reg no date had been set for the lifting of this trial period, but said Intel's tech previews tend to last four to six months. ®

PS: You should update your Intel Driver Update utility before someone on your network hijacks your firmware downloads, and injects malicious code into your system.

comment icon Read 28 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'