The future of online user authentication is ... graphics cards?
The anonymity of the internet is both a blessing and a curse. Not only does it make it easy to pretend you’re someone else and live out a harmless fantasy online, it also makes it relatively easy for someone else to pretend they’re you and run up a hefty credit card bill or the like with nothing but a few key pieces of personally identifiable information. European researchers propose a more secure form of online user authentication that uses common computer hardware to identify specific users.
The researchers from the “Physically unclonable functions found in standard PC components” (PUFFIN) project say that seemingly identical graphics processors commonly used for gaming actually contain unique “fingerprints” that allows them to be differentiated from each other. Known as a physical unclonable function (PUF), these minute and uncontrollable manufacturing differences can be detected by software, allowing a particular graphics card to be linked to a specific user account.
The PUFFIN researchers say that one of the advantages of using such a technique to help prevent online identity theft is that the extra security feature could be implemented on existing hardware and rolled out to users via a software update.
With potential benefits including online user authentication, the ability to encrypt disks without the need for users to remember long passwords, and the ability to protect valuable electronic components against counterfeiting, the researchers are now looking for similar manufacturing differences in other hardware, including CPUs, PCI connectors and mobile phones.
With a total budget of €1.3 million (approx. US$1.67 million), the PUFFIN project is due to run until February 2015.
Sources: Eindhoven University of Technology, PUFFIN
Please keep comments to less than 150 words. No abusive material or spam will be published.
Also, I need my info from my "smart phone." I don't think it has a graphics card, per se.
It's a nice thought: identifying the hardware, but not a substitute for identifying ME.
I had the exact same thought as piperTom, what happens with all my encrypted data if my GPU burns. I rather remember a password than depend on hardware not malfunctioning.
But one place I could see this being useful would be securing VPN connections for enterprise solutions. Where the security department at a company want to make sure that the connection comes from a specific computer.
No matter how many proxys your connection goes through or if you've booted with a live Linux CD, your computer is indelibly marked.
All the authorities need is a separate web site like Google or Yahoo or Facebook that can identify you under your real identity, then link it back to your anonymous browsing..
In that case a clever user could disable it when required, but that doesn't help the rest of the poor low-tech slobs that make up most of the online population.
Sounds good, makes sense.