Chipmaker Intel has teamed with security giant Symantec on technology that will enable Internet firms to add stronger authentication to their services.
Federal regulators have long mandated that banks provide more than just a username and password to secure consumers' bank accounts. A common way to improve security is for account holders to use one-time password (OTP) tokens, small devices that generate a seemingly random series of numbers. The customer enters the current six-digit number displayed on the device and the bank checks to make sure it matches the code the device should be generating.
For financial services, the cost of such tokens is the price of complying with regulations, but paying tens of dollars to equip customers with additional security is prohibitive for most Internet firms.
Now Intel hopes to raise the security across the board by lowering the cost for websites and other services to use two-factor authentication. The company's Identity Protection Technology builds a one-time password generator into Intel's core chip sets, allowing any device -- from a PC to a smartphone -- to generate a series of codes that can be used to add more security to both consumer and business applications.
"Because we are putting it in the firmware, we are able to put it into any platform that has a core processor," says Mike Reed, general manager of the Intel's Identity Protection Technology group.
Symantec's VeriSign Identity Protection credentials will be embedded into chip sets as well. "We are looking at ways to see how we can get strong authentication to more people," says Jeff Burstein, principal product manager for Symantec. "Rather than a targeted and narrow solution, we have tried to address the broadest possible market."
VASCO's DigiPass authentication system will also work with Intel's technology, the companies announced this week.
Two-factor authentication is not a panacea, however. Banks have already faced malware such as Zeus and SpyEye that focus on stealing money from accounts protected by one-time passwords. The small and medium-sized businesses targeted by Zeus have lost hundreds of millions of dollars.
The attack, known as man-in-the-browser, allows criminals to change the details of transactions on the fly -- sending $9,000 to a criminal's account, for example, instead of $200 to the electric company, as a business manager might see displayed in their browser.
Yet even with its weaknesses in high-value applications such as banking, an additional factor of authentication can help better secure Facebook, email, and other applications, says Symantec's Burstein.
"In many ways, it is shocking the number of applications that rely upon just a username and password," he says. "It is really about reaching that balance between security and usability."
This story, "Intel puts greater security in the chip set," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.