How Intel Core chips and Lenovo PCs could take over two-factor authentication from your phone
Password manager Dashlane and PC maker Lenovo are among the first consumer-facing companies to take advantage of a little-known feature within Intel’s 8th-generation Core chips that could become much more popular: enabling two-factor authentication with just your PC, and not your phone.
What Intel calls Intel Online Connect (or, more generically, Universal Second Factor (U2F) authentication) lives within the 8th-generation Core architecture. Typically, two-factor authentication (2FA)—recommended for years as an additional security measure for email, online storage, and other data—required that a code be sent to your phone either via an app or SMS. Intel’s 8th-gen Core architecture and its associated software cuts out the need for a phone, simply requiring you to click a software “button” to authenticate the 2FA transaction.
Intel’s Online Connect improves on a related technology Intel introduced in its 7th-generation Core chips, known as Software Guard Extensions, or SGX. SGX is essentially a protected area within the chip for storing encryption keys. But only two services announced support for SGX: Dropbox and Duo Security, which announced proofs-of-concept earlier this year.
Lenovo is the first PC maker to announce support for Intel Online Connect in both some of its older as well as its more recent PCs. On Tuesday, Lenovo announced Intel Online Connect support for the Yoga 920, IdeaPad 720S, ThinkPad X1 Tablet (2nd generation), ThinkPad X1 Carbon (5th generation), ThinkPad Yoga 370, ThinkPad T570, ThinkPad P51s, ThinkPad T470s, ThinkPad X270 and ThinkPad X270s. Intel Online Connect can be either downloaded from the web directly, or will be made available via Lenovo System Update and Lenovo App Explorer on all supported Lenovo devices, the company said.
Why this matters: Breaking into your PC is bad enough—that’s why there’s Windows Hello, user PINs, and Windows passwords. With web services accessible from just about anywhere, however, there’s a need for a second layer of security to differentiate you from the bad guys. Two-factor authentication helps secure those online transactions; U2F promises to make them less of a hassle.
How U2F works within Intel’s Core chips
Once the 8th-generation Core chips ship, Dashlane will immediately be able to take advantage of the built-in technology and use U2F as an additional form of authentication, Allison Baker, the strategic partnerships manager for Dashlane, said. She confirmed that U2F will work with 8th-gen Core chips for consumers, and don’t require Intel’s vPro technology for businesses.
“You don’t need a phone or anything else,” besides a compatible Intel-based PC, Baker said.
The FIDO Alliance developed U2F as an open authentication standard, designed to help simplify two-factor authentication. For the purposes of registering with an online service like Dashlane, two “keys” are created: a public one, which is registered with the service itself, as well as a private one, which is stored within the Core chip on the client PC.
According to Dashlane’s Baker, the client’s private key signs an assertion that the service can verify as coming from the client PC. But the signature is only released after the user verifies his presence by clicking a button on the screen, displayed by Intel’s Online Connect middleware. Intel’s been busy working on PC security solutions for years; last year, Intel showed off its Authenticate technology, combining fingerprints, PIN, paired phones, and more.
According to a GIF Dashlane prepared to demonstrate the process, authenticating with Dashlane requires entering your password. Intel’s Online Connect will then find the security key. Sending it on its way requires clicking on a button that appears randomly within a separate window, within 15 seconds. That window uses what’s called Intel Protected Transaction Display technology, which actually generates the screen from within the Intel chip itself. The user sees the button; according to Intel, any man-in-the-middle attacker would merely see a blank, black box with no indication on where to click.
It appears, though, that U2F places more of an emphasis on the first line of security used to defend your PC: Windows Hello, a PIN, or a password. If an attacker were able to guess your PIN while you left your eighth-generation PC alone to buy a cup of coffee, they’d still need to know your Dashlane master password to log in. But with traditional two-factor, phone-based authentication, a service like Dashlane would also buzz your phone—which you might have in your pocket, alerting you that an attack was in progress.
In any event, though, services like Dashlane appear to be preparing to take advantage of the U2F capabilities built into Intel’s Core chips. Passwords used to be sufficient, but complex, hard-to-guess passwords can be a pain to use repeatedly. The challenge is to offer security without imposing too much of a burden on the user, and Intel and its partners appear to be zeroing in on quick, convenient security methods.
This story was updated at 11:40 AM on Oct. 24 to note that laptops and tablets from Lenovo now support the new Intel Online Connect technology.