The future of online user authentication is ... graphics cards?

October 01, 2012

Facebook
Twitter
Flipboard
LinkedIn

According to the European PUFFIN project, uniquely identifiable computer hardware, such as graphic cards, could be used for online user authentication applications (Photo: Shutterstock)

The anonymity of the internet is both a blessing and a curse. Not only does it make it easy to pretend you’re someone else and live out a harmless fantasy online, it also makes it relatively easy for someone else to pretend they’re you and run up a hefty credit card bill or the like with nothing but a few key pieces of personally identifiable information. European researchers propose a more secure form of online user authentication that uses common computer hardware to identify specific users.

The researchers from the “Physically unclonable functions found in standard PC components” (PUFFIN) project say that seemingly identical graphics processors commonly used for gaming actually contain unique “fingerprints” that allows them to be differentiated from each other. Known as a physical unclonable function (PUF), these minute and uncontrollable manufacturing differences can be detected by software, allowing a particular graphics card to be linked to a specific user account.

The PUFFIN researchers say that one of the advantages of using such a technique to help prevent online identity theft is that the extra security feature could be implemented on existing hardware and rolled out to users via a software update.

With potential benefits including online user authentication, the ability to encrypt disks without the need for users to remember long passwords, and the ability to protect valuable electronic components against counterfeiting, the researchers are now looking for similar manufacturing differences in other hardware, including CPUs, PCI connectors and mobile phones.

With a total budget of €1.3 million (approx. US$1.67 million), the PUFFIN project is due to run until February 2015.

Sources: Eindhoven University of Technology, PUFFIN

Tags

Facebook
Twitter
Flipboard
LinkedIn

Darren Quick

Darren's love of technology started in primary school with a Nintendo Game & Watch Donkey Kong (still functioning) and a Commodore VIC 20 computer (not still functioning). In high school he upgraded to a 286 PC, and he's been following Moore's law ever since. This love of technology continues as Managing Editor of New Atlas.

11 comments

piperTom October 1, 2012 09:53 AM

Whoa! That power glitch just fried my graphic card. I have a new one, but... what now?
Also, I need my info from my "smart phone." I don't think it has a graphics card, per se.
It's a nice thought: identifying the hardware, but not a substitute for identifying ME.

Roomie October 1, 2012 10:58 AM

I wonder what they been puffin? just kidding ;)
I had the exact same thought as piperTom, what happens with all my encrypted data if my GPU burns. I rather remember a password than depend on hardware not malfunctioning.
But one place I could see this being useful would be securing VPN connections for enterprise solutions. Where the security department at a company want to make sure that the connection comes from a specific computer.

Piotr Nalewajka October 1, 2012 03:21 PM

Great: They've stolen your laptop... your GPU-encrypted data is easily readable. What about spoofing your hardware data? Or intercept the function that does the calculations? Spoofing the PUFFING. There is always a way to break something like this, e.g. on virtualization level. Also: What is the main point of this? Authenticating hardware to the web page or application, rather than authenticating user. The only real (and kinda "safe") use is to differ if given computer is/can be logged to your account... still you can't throw out all the cookies and user/session information. @piperTom: smart phones have GPUs.

Wombat56 October 1, 2012 10:35 PM

Wow, it's also another way of breaching your on-line privacy and anonymity.
No matter how many proxys your connection goes through or if you've booted with a live Linux CD, your computer is indelibly marked.
All the authorities need is a separate web site like Google or Yahoo or Facebook that can identify you under your real identity, then link it back to your anonymous browsing..

Wombat56 October 2, 2012 02:55 AM

On second thoughts it's hard to see how this could work without having a program on your local computer to do the testing, either placed deliberately as some kind of ID app, or as malware.
In that case a clever user could disable it when required, but that doesn't help the rest of the poor low-tech slobs that make up most of the online population.

Synchro October 2, 2012 04:06 AM

So this is like the funky home-brew version of TPM? For all its faults, at least TPM is overt in what it's doing and has dedicated hardware to do it correctly, and doesn't rely on luck and random variation.

Michael José Martin October 2, 2012 09:36 AM

It's stupid. Enough said.

Suraj Jacob October 2, 2012 03:10 PM

Such a phenomenal waste of money! Give it to someone who can actually make some useful technology. In a world of multidevice users and cloud devices, going back to the single computer era is no way to go forward!

Expanded Viewpoint October 2, 2012 04:17 PM

Yeah, this idea is about as dumb as inventing an edible adhesive tape to hold your sandwich together. Who gets paid to come up with "ideas" like this, and more importantly, who is paying them??
Randy

skiburg October 2, 2012 08:10 PM

I expect it would be used as a secondary authentication. If your login is correct and the machine code matches, all good. If your login is correct but the machine code does not match, maybe you login was stolen, time to answer a security question.
Sounds good, makes sense.