The future of online user authentication is ... graphics cards?
According to the European PUFFIN project, uniquely identifiable computer hardware, such as graphic cards, could be used for online user authentication applications (Photo: Shutterstock)
The anonymity of the internet is both a blessing and a curse. Not only does it make it easy to pretend you’re someone else and live out a harmless fantasy online, it also makes it relatively easy for someone else to pretend they’re you and run up a hefty credit card bill or the like with nothing but a few key pieces of personally identifiable information. European researchers propose a more secure form of online user authentication that uses common computer hardware to identify specific users.
The researchers from the “Physically unclonable functions found in standard PC components” (PUFFIN) project say that seemingly identical graphics processors commonly used for gaming actually contain unique “fingerprints” that allows them to be differentiated from each other. Known as a physical unclonable function (PUF), these minute and uncontrollable manufacturing differences can be detected by software, allowing a particular graphics card to be linked to a specific user account.
The PUFFIN researchers say that one of the advantages of using such a technique to help prevent online identity theft is that the extra security feature could be implemented on existing hardware and rolled out to users via a software update.
With potential benefits including online user authentication, the ability to encrypt disks without the need for users to remember long passwords, and the ability to protect valuable electronic components against counterfeiting, the researchers are now looking for similar manufacturing differences in other hardware, including CPUs, PCI connectors and mobile phones.
With a total budget of €1.3 million (approx. US$1.67 million), the PUFFIN project is due to run until February 2015.
Sources: Eindhoven University of Technology, PUFFIN
About the Author
Darren's love of technology started in primary school with a Nintendo Game & Watch Donkey Kong (still functioning) and a Commodore VIC 20 computer (not still functioning). In high school he upgraded to a 286 PC, and he's been following Moore's law ever since. This love of technology continued through a number of university courses and crappy jobs until 2008, when his interests found a home at Gizmag.
All articles by Darren Quick
Whoa! That power glitch just fried my graphic card. I have a new one, but... what now?
Also, I need my info from my "smart phone." I don't think it has a graphics card, per se.
It's a nice thought: identifying the hardware, but not a substitute for identifying ME.
I wonder what they been puffin? just kidding ;)
I had the exact same thought as piperTom, what happens with all my encrypted data if my GPU burns. I rather remember a password than depend on hardware not malfunctioning.
But one place I could see this being useful would be securing VPN connections for enterprise solutions. Where the security department at a company want to make sure that the connection comes from a specific computer.
Great: They've stolen your laptop... your GPU-encrypted data is easily readable.
What about spoofing your hardware data? Or intercept the function that does the calculations? Spoofing the PUFFING. There is always a way to break something like this, e.g. on virtualization level.
Also: What is the main point of this? Authenticating hardware to the web page or application, rather than authenticating user. The only real (and kinda "safe") use is to differ if given computer is/can be logged to your account... still you can't throw out all the cookies and user/session information.
@piperTom: smart phones have GPUs.
Wow, it's also another way of breaching your on-line privacy and anonymity.
No matter how many proxys your connection goes through or if you've booted with a live Linux CD, your computer is indelibly marked.
All the authorities need is a separate web site like Google or Yahoo or Facebook that can identify you under your real identity, then link it back to your anonymous browsing..
On second thoughts it's hard to see how this could work without having a program on your local computer to do the testing, either placed deliberately as some kind of ID app, or as malware.
In that case a clever user could disable it when required, but that doesn't help the rest of the poor low-tech slobs that make up most of the online population.
So this is like the funky home-brew version of TPM? For all its faults, at least TPM is overt in what it's doing and has dedicated hardware to do it correctly, and doesn't rely on luck and random variation.
Michael José Martin
Such a phenomenal waste of money! Give it to someone who can actually make some useful technology. In a world of multidevice users and cloud devices, going back to the single computer era is no way to go forward!
Yeah, this idea is about as dumb as inventing an edible adhesive tape to hold your sandwich together. Who gets paid to come up with "ideas" like this, and more importantly, who is paying them??
I expect it would be used as a secondary authentication. If your login is correct and the machine code matches, all good. If your login is correct but the machine code does not match, maybe you login was stolen, time to answer a security question.
Sounds good, makes sense.
Wow, so much negativity to such a great idea. It's a perfectly viable method for two-factor authentication, in which one supplies a password AND something else. This is a perfect "something else". Cost to end user? Zero dollars. No need to use a smart card, USB dongle, automated phone call, etc. which are in use now.
What happens if your graphics card dies? What happens if you forget your password? I tell you this, the latter is a lot more common than the former. The answer is the same, too: you re-authenticate in the same fashion.
Wombat, this could probably be implemented in a browser function that a website would query and the browser would ask you for permission, just like the new location function that will query a GPS if one is attached to the system (laptop or usually a smart phone).
The thing is, unless you're Oprah, no one cares about you and thus no one is trying to personally identify you. Data mining is a wonderful, amazing thing that gives God-like powers, but it deals with aggregates. A data miner doesn't care about an individual or even want to know their name. As Tim O'Reilly said recently, the privacy advocates are going about this the wrong way. There's too much data available, it's almost everywhere and increasing rapidly and trying to rein it all in is going to be impossible. The right way to go about things, he recommends, is to use the model of insider trading. People are allowed to know as much about what's going on inside companies as they want - they just can't act on it. Instead of focusing on the acquisition of information, privacy advocates should be focusing on curtailing ways in which it can be used.
Think about it: today I ran a few errands. My face was probably picked up on the traffic camera on my town's main street. I got gas and there was probably a gas station surveillance camera somewhere. I used a debit card at a store, so there's a record there now and with the bank and with the company that processed the transaction. I connected my media player to the store's wifi to check their website to see if they had a product I was looking for but couldn't find, so there's information in their router logs. I also checked out the inventory at a competing store, so they got that info too. I made one more store stop and again there was debit card activity and I'm sure there is footage too. Heck, I helped an old man load his heavy purchases into his car in the parking lot, so now he's seen my face and my fingerprints are all over his items. See? I was probably tracked in a lot more ways I can't even think of right now. You can't possibly reign all that information in. The best we can hope for is to regulate who that information can be shared with and how it can be used. Even if a company tried, there's probably no way they could operate in a modern society and scrub away all traces of my existence. They need purchase information to process returns, to store video footage in case of theft or robbery, etc.
Over 160,000 people receive our email newsletter
See the stories that matter in your inbox every morning