[cryptography] Your GPU's “Fingerprint” Could Lead to New Security Methods

Beryl Lusen koan at ghostwalker.com
Tue Oct 30 12:13:08 EDT 2012


On Tue, Oct 30, 2012 at 10:08:06AM +0100, Eugen Leitl wrote:
> 
> In the online world, a World of Warcraft account can be worth serious money.
> With such an incentive, malware is set to steal your WoW login and password,
> should you become infected. To protect an account, WoW users have the option
> of purchasing an authenticator for a minor fee of $6.50. Of course, if you
> lose the authenticator or if it breaks, poof! goes your game access.
> 
> Security veterans recognize this as two-factor authentication: a password and
> a separate, physical security device that the owner must have in their
> possession. While two-factor authentication can greatly increase your
> security, it also represents another point of vulnerability because you can
> always lose the device.
> 
> Researchers in Europe have come up with an alternative. Instead, your
> computer's graphics processor unit (GPU) would be the authenticator,
> identifying a user by tying him to his specific GPU.
>
</snip>

As someone who used to play WoW extensively and was in games development for quite a while, I wouldn't find this approach desirable either as a player or a developer for this sort of application.  What happens when I swap out my GPU for an upgrade?  What about players who play on multiple machines, or use their account at a friend's house?  If the key supplied by a GPU gets somehow compromised, don't I have to tell the user to buy another?  With authenticators I none of these sorts of issues; moreover, I have a clear integration path for incorporating the technology, and a simple, well-defined customer service path - they offer much more of a "whole product" solution.  Taking a step back from WoW and looking at the larger social-mobile trend you see the same sorts of problems; as a user I want secure access from any manner of devices that may change on a frequent basis, and as a developer/operator I want a simple, secure way to manage that.

I'm not saying there isn't utility in such an approach as is proposed, only that it seems to me such utility is predicated on an environment where you supply and control the user's hardware and may dictate the user's workflow.  An example along these lines would serve better than citing WoW.

-Beryl 



More information about the cryptography mailing list