Dark Reading recently published an interesting perspective from the esteemed Dr. Taher Elgamal on “silent authentication” services, which offer us the potential for single-password access to our multiple online user accounts.
Elgamal, who invented the Secure Sockets Layer (SSL) cryptographic protocol that provided early security over the Internet, recalls the “old days” of just a few decades ago when we simply logged onto the Internet once and accessed its many resources.
Today, by contrast, we must instead remember multiple credentials in order to access different accounts with Amazon or Netflix, as well as our banking, investment or bill pay services. This inconvenience has spawned several online services that allow users to access participating websites through a single log in.
Elgamal improves on this by suggesting that the Internet “remember” a user’s login. That way, sites can embed an interface to an Internet service that confirms a user on a particular device is the same user who always signs on from that device.
I’m all for convenience , but it’s possible to do Dr. Elgamal’s suggestion one better and recommend an approach wherein the user’s device becomes a multiuse, multifactor token. This authentication framework is already embedded on more than 600 million PCs today in the form of the Trusted Platform Module (TPM).
The TPM can hold not one but dozens if not hundreds of discrete silent authentication credentials in tamper-resistant hardware. That means every site could be assigned its own credential – all accessed through a single device with a single password.
There are different models in which this approach may be applied. In one, nothing is required of the user; when asked, the TPM simply provides an authentication ceremony. Alternatively, a PIN might be required every time a website requests an authentication ceremony. A third model might require entry of the PIN only once – when the machine is turned on.
This is all far simpler than relying on an Internet authentication service to serve as middleman, and far more private. It’s far easier for users to trust their device than an online service that says, “We know everything you do every day, but we are trustworthy.”
The future of authentication is that we’ll log into a device, which will then securely and privately log us into everything. In this future, when we register a service to one device, all of our devices will add the same key. With at least $2 billion already invested in the TPM’s open-industry standard, trusted computing has already built a very solid foundation to achieve this goal. But there is still work to do.
Although TPMs are onboard the majority of PCs today, they largely remain an untapped model for authentication on Internet sites. It is time for major online providers such as Google, CITI and Facebook to consider the power of TPMs as an authentication method. Perhaps 600 million secure customers are not enough for them. Meanwhile, as both the mobile industry and consumer devices are adding TPMs, I am sure that someone will unlock the value of a billion happy customers.