Intel Updates True Key App to Simplify Security
by Anton Shilov on March 10, 2016 12:00 PM ESTIntel Security, a wholly owned subsidiary of Intel (and previously known as McAfee) has updated its True Key password manager application to tackle one of the most notorious issues with password managers: inability to reset the forgotten master password. The new version of the app allows resetting the master password using other methods of authorization. The updated version will simplify managing of passwords and will further help Intel in its quest to “eliminate” passwords in general.
Since computing is getting increasingly mobile, security of personal devices is getting increasingly more important. As a major developer of PC platforms, Intel has created a number of sophisticated technologies that can improve security of computing devices. For example, Intel’s latest processors support AES-NI instructions that speed up encryption and decryption using the advanced encryption standard (AES). In addition, select Intel’s platforms also support TXT (trusted execution technology) and TPM (trusted platform module) cryptoprocessors for enhanced security. While strong passwords and AES 256-bit encryption can generally help to make mobile gadgets more or less secure, it is not easy to remember many strong passwords consisting of letters and numbers. Meanwhile, if you use only one password and it leaks, your security fails completely. It does not matter how sophisticated are encryption or security technologies, they get useless the moment when passwords are compromised.
To make platform security technologies less vulnerable to human factor, Intel and some other companies want to eliminate passwords and replace them with more robust methods of authentication, such as fingerprints, retina scan or facial recognition. In fact, thanks to technologies like Apple Touch ID and Microsoft Windows Biometric Framework, usage of biometric authentication mechanisms instead of passwords as well as password managers to store passwords for applications that do not support biometric authentication is increasing.
Companies like IBM/Lenovo have offered password management for years with their ThinkVantage software, a proprietary program that only worked on their PCs. By contrast, Intel Security’s True Key password management application can work on various platforms; it is compatible with a variety of apps and can use different methods of authentication, including fingerprints, face, master password, trusted device, email and so on. For example, the True Key can use Intel’s RealSense cameras to recognize a face for Windows logon as well as third-party fingerprint scanners (i.e., Apple’s Touch ID). The Intel True Key always uses at least two factors to identify a person, which generally enhances protection, AES 256-bit encryption as well as Intel identity protection technology (IPT) where available.
Since all biometric technologies are vulnerable to spoofing to some degree, True Key app allows biometric authentication only from the user’s own pre-selected trusted devices. Biometric templates for server-based facial recognition authentication (mathematical descriptions of biometric measurements) are stored on the True Key servers in encrypted form and are protected by a hardware security module (HSM). It should be noted that facial recognition is performed either completely in a server-based mode, or both on the user’s device and on the True Key servers.
Meanwhile, the master password is not stored on True Key servers or locally on any device. It is used to generate the so-called key encryption key (KEK) as well as the authentication token (AT) using a large number of rounds of PBKDF2 with HMAC-SHA512 key derivation function with random salt values. The KEK is used to encrypt users’ passwords and wallet assets. The AT is used is used as one of the factors required to authenticate the user on the True Key servers.
The multi-factor authentication and the rather sophisticated master password make it very hard for perpetrators to access the data (simply because it takes too lot of codes to crack using brute force — even if someone manages to get the master password or crack KEK and AT, they will also have to crack another method of authorization). Whenever the master password is changed, the True Key re-encrypts all data both locally and on servers. What is very important for many users is that Intel’s latest version of the True Key can reset even the master password by verifying other unique factors like owner’s face and/or fingerprint via a second device. So, even if you forget something, the application can relatively safely reset everything, which should simplify its usage for many people.
Intel’s True Key application supports Apple Mac OS X, Apple iOS, Google Android and Microsoft Windows operating systems as well as Google Chrome. Microsoft Internet Explorer and Mozilla Firefox browsers (support for Apple Safari and Microsoft Edge is coming soon). Free version of the program supports up to 15 passwords, premium version can store up to 2000 logins and passwords for $19.99 a year.
Source: Intel
22 Comments
View All Comments
blakflag - Thursday, March 10, 2016 - link
This is simplified? Like all automagical schemes it will work great until for some reason it doesn't recognize your biometrics, at which point you'll be SOL.ddriver - Friday, March 11, 2016 - link
Also, despite the hype, biometrics are wildly insecure and easy to fake. You can pull off a voice, finger or retina print from someone unsuspecting, not so easy with a password. I hate to say it, but this whole biometrics fad as nothing to do with improving security, it has to do with mining and stockpiling biometrics data, and from the false pretext one can easily assume to no good purpose.jameskatt - Friday, March 11, 2016 - link
If you use a hash rather than directly use biometric data - like Apple does with TouchID, then it would be harder to mine and stockpile biometric data.ddriver - Friday, March 11, 2016 - link
So what do you imply? That the hashing happens on the user device and apple never get a hold of the actual biometric data? I highly doubt that, or any claims about it. There is only one way to convince me - if apple opensource their software and I see that this is what happens with my own eyes. But that will never happen... wonder why...But hey, who knows, after all, apple do seem to be overly concerned with the privacy of known terrorists, that means regular people are "even safer" right ;)
ddriver - Friday, March 11, 2016 - link
Also, I am extremely skeptical that apple use a hash - see that's the thing about hashing - it works very well for digital data that is bit for bit accurate, but a fingerprint is an analogue source, and that will not produce the same binary result across different scans, and even if the difference is minuscule, the hash will be wildly different. So... no way Jose...name99 - Friday, March 11, 2016 - link
Are you saying this based on real evidence, or based on watching lots of movies?Because I am unaware of ANY actual device or installation that has ever been compromised in the way you suggest. There have been some notorious attempts, eg
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.st...
but as far as I know, these attempts have likewise been motivated primarily by watching too many movies, and have not been successful.
ddriver - Friday, March 11, 2016 - link
Just last week it was reported that top tier phone makers' fingerprint readers can be fooled by fingerprint images, printed with regular inkjet with custom conductive ink. That real enough for you, or did you buy too much of the unsubstantiated hype about biometrics security?name99 - Friday, March 11, 2016 - link
Yeah, we saw the same claims about latex fingerprint lifts when the iPhone 5S came out. And yet, three years later, I'm unaware of a single real-world exploitation of this fact.Like I said, I'm interested in ACTUAL exploits, not theoretical supposed exploits.
ddriver - Friday, March 11, 2016 - link
The inkjet printed fingerprint has already been proven to work in practice, on Samsung and Huawei devices. That is an actual, factual, practical exploit.In a world where the industry wants to convince of the preposterous, and the media is paid to repeat like parrot, do you really expect the media to inform you of anything that would be imperative to their interests?
It is hilarious that you imply others' opinions are based on watching too many movies when your own opinion is based on watching too much ads and buying too much hype.
ddriver - Friday, March 11, 2016 - link
Also, stacking further evidence to your lack of competence, that link you submitted about "notorious attempts" to fake biometrics actually contains nothing about any attempts to do that. Next time when you post a link you substantiate your claim, you might want it to be a link that actually substantiates your claim.