How the Ubisoft hack shows the password model is weak, and why device-based authentication is the answer
Just over a week ago game maker Ubisoft revealed that hackers had breached its database and accessed customer information including usernames, email addresses, and passwords. This is the latest in a series in hacks revealing that the outdated password authentication model is weak and does not provide adequate security for user information.
It’s time for a network architecture that considers new access models -- including the device itself. We need a shift to device-based authentication that provides the same added security, but is completely transparent to the user. The cable industry has used this model for years, assigning cable boxes a unique identity so that users do not need to enter a password to change the channel (since the service is delivered to box, not the user). Applied to computing, device-based authentication means that even if a hacker steals your password, they still need your device to log into the website. The foundations of this model are already in place, but there is still work to do.
Device Identity -- The Network of Known Devices, Not Physical Connections
At the heart of this new network architecture is the identity of the device. Device identity enables a new control model on the network, based on endpoint devices, not connection to a network.
The first step is to register the device. This registration provides the foundation for specific, granular controls. A 'network' is no longer a physical communications medium, but rather a network of devices that know enough about one another to engage in transactions together. A device can belong to multiple identity networks. Applications provide isolation between these identity networks, so that participation in each such network is private with respect to other networks.
Device identity and attributes are the foundation for asserting device capabilities. Both identity and these other device attributes can be asserted with varying degrees of assurance, ranging from very low assurance, as is provided by most security technologies today, to almost mathematically certain assurance, as is demonstrable for self-encrypting drives (SEDs) or device identity.
The Trusted Platform Module (TPM), a security chip embedded into the motherboard of a PC, provides the foundation for a tamper-resistant identity in over 600 million devices. The TPM also provides standard methods to prove that the capabilities of the machine are measured and can be assured to be isolated.
Device identity is one of the best investments any enterprise can make. The TPM standard is easy to buy as it is built into the computing platform. The critical factor is beginning to use the technology and take advantage of the infosecurity industry’s investment in open standards for device identity. The potential for return on this investment has been clearly demonstrated by the global growth of cellular, cable, satellite and Apple -- all of whom have chosen device identity as their security foundation and have a model with lower costs to manage a device.
Yet enterprise information technology has been stuck investing in costly multi-layered user credentials with minimal returns so far -- either in cost control or reliable security. Identifying the modern network will no longer be which username/password pair is used, but rather the identity of the device (and sometimes the user). This tested approach has been proven to save money by the experience of Voice-over-IP phones, a device identity-based network.
Leverage and Protect the Already-Massive Deployment
The standards to enable the modern device-centric network are well established and broadly available. Trusted computing now has over $3 billion invested in the technology and deployment of the device centric network. Leveraging this investment provides the instant returns that most enterprises seek, but there is still work to do.
Trusted device identity will make a safer and easier internet. With the TPMs built into nearly all PCs and the trusted elements found in many smartphones, the tools are there. The critical factor is beginning to use the technology and take advantage of the industry’s investment in these open standards for device identity. The potential for return on this investment has been clearly demonstrated by the global growth of cellular, cable, satellite and Apple -- all of whom have chosen device identity as the foundation of their services. It’s time to catch up. Let users log in to their devices and their devices log in to their world.
Michael Sprague is Vice President of Web Services at Wave Systems Corp., where he has pioneered the company's evolution into online and mobile services. He was previously President and Chief Operating Officer of Wavexpress. Prior to joining Wavexpress, Mr. Sprague was the Systems Architect for Wave, where he was responsible for navigating the company through its transition onto the Internet and into new media technologies. Mr. Sprague started his career with Enterprise Engineering, where he was instrumental in the redesign and architecture of global banking infrastructure for clients including Citibank, Fidelity and J.P. Morgan. Mr. Sprague studied computer science at the University of Chicago.