Interview: Intel’s Richard Reiner on killing passwords gracefully
29 January 2015 14:54 GMT

Intel says the era where passwords were a viable mechanism for validating access to digital lives has ended.

By Craig Guthrie, deputy editor

US chipmaking giant Intel got aggressive with passwords in the latter half of last year, declaring a plan to “eliminate” them with biometrics, buying up management tool Passwordbox and then launching a partnership with German facial recognition experts Cognitec.

The launch of True Key at CES 2015 in January seemed a culmination of the moves. 

Using facial and voice recognition as a login for computers and devices to securely log on to multiple websites and online services, the solution is being launched to the wider public this year.

The chipmaker says there are a number of added security features under the hood – for example device and network authentication, as well as geolocation services and “best-of-grade” encryption.?

Intel also has an advantage over the numerous other firms offering biometric authentication for password management: Its hardware is embedded in some 80% of the world’s PC processors, and it can rely on the IT security know-how of its McAfee subsidiary.

But Intel doesn’t just envisage the world using True Key to login to all their tablets, PCs and social media networks – it also wants the tech linked to the Internet of Things and contactless technology so it can literally be used to open doors.

Richard Reiner, VP Technology at Safe Identity in Intel's Security Group and former president of PasswordBox, talked to Planet Biometrics about the underlying technology and potential of True Key. 

Why have Intel and Macafee focused on using biometric security features to replace passwords?

We believe that the era where passwords were a viable mechanism for validating access to digital lives has ended. Both on the internet and in the physical world, the password’s time is drawing to a close.

There might have been a time where people had one or two of them, but the average consumer now has many dozens. Some people we've surveyed say it would likely be easier to solve world peace than to remember all their logins.

There is a password crisis – but we have been developing solutions and True Key is the first iteration of those. 

Why have face and voice been chosen for authentication over other biometrics?

Firstly, True Key is an actually a multi-factor authentication product. In our initial release announced at CES there are six factors including the facial and voice checks you mentioned. There is also "out of band" swipe, hardware-backed device identification, and a master password system.

We are not saying that these are the six best authentication methods, or the best biometrics to use, but rather that this is a good set to start with because the hardware is very widely available. We will be adding more factors in the future as the technology develops and have included liveness detection.

What secure storage methods will the software use True Key to store templates – will templates be stored on the device or in a cloud?

There are some differences on a factor-by-factor basis and I don’t want to go too deeply into the details of that. What I will say is that we have end-to-end encryption, and a best-of-grade encryption system at all levels.

How do you envision the market for True Key?

This is very much a consumer product. We believe that billions of people will one day use this tool as their solution for getting the easiest and most secure access to everything in their digital world.

How do you think digital security will evolve in the coming years?

Well there have been an awful lot of security products proposed for consumers that perhaps offer good security but make life a lot harder. Our solution should make life much more convenient and more secure at the same time. The best way to do this is to be very intelligent about how you authenticate.

In many scenarios it is quite possible to authenticate the user, on whatever app or website they’re using, without them having to do anything at all. We know geographically where they are. They may have chosen to tell us which Wifi network they’re on at home. We know whether they’re on their own laptop or another device.

Apps can just be opened if you have an intelligent security policy engine, which is what we have in True Key. It understands a lot at lots of risk situations the user is in, examines what exactly is being accessed – such as is it e-commerce, social media or something higher up the security chain.

The product gauges what level of authentication is needed, and looks at what we already know – we have proof of hardware, we know that this particular user unlocks True Key with his or her face, and we know the network they generally use.

Stronger authentication will obviously needed for banking and ecommerce sites while others will need less. This is multi-factor authentication that takes into account the user’s preferences, what kind of resource they are accessing. The aim is to make life as easy and as secure as possible.

This can’t be done with only one factor or without the intelligence to combine many factors.

That is the vision – where we see it going. But we also want to adapt to the coming of IoT and wearables. Wearables can become factors, and the richness of devices with IoT gives us much more flexibility in how we implement True Key.

Does Intel’s presence in much of the world’s hardware give it an advantage in launching a biometric password manager?

Yes, one example is a technology that’s coming out in a family of Intel processors that is called Software Guard Extensions in SGX. This creates a secure container that runs on the CPU but that is completely protected from everything else on the operating system. This is a great place to do sensitive processing such as anything involving biometrics.

How would you envision the solution integrating with other biometric login systems such as Apple's TouchID?

This is very much a multi-platform solution, our initial limited released is supported on iOS, MacOS, Android and Windows and in the future, we’ll probably go broader than that. The way we have designed the product, people can take the best advantage of what they have available. Some mobile devices have some good security capabilities, and we’d make the best possible use of those including TouchID. We will integrate and make use of TouchID on iOS, on we’ll take best advantage of what the other platforms offer.

Related articles

Intel unveils True Key, a password manager using facial recognition
05/01/15
Intel and Cognitec ink deal on facial recognition tech
03/12/14
Intel touts plans to ‘eliminate passwords’ through biometrics
11/09/14