Graphics Cards: the Future of Online Authentication? 178
Gunkerty Jeb writes "Researchers working on the 'physically unclonable functions found in standard PC components (PUFFIN) project' announced last week that widely used graphics processors could be the next step in online authentication. The project seeks to find uniquely identifiable characteristics of hardware in common computers, mobile devices, laptops and consumer electronics. The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another. The implication of this discovery is that such differences can be used as physically unclonable features to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts."
This could go either way (Score:4, Interesting)
I could see this being a good thing, and a bad thing. If online accounts are using hardware to determine the user account, whats to stop someone from just "borrowing" your hardware and connecting to your account? Sure, they could still have user names passwords and such as backup, but then what would be the point of doing the hardware authenication? Plus how much of a pain in the ass would it be to upgrade your computer and notify the online account to expect changes in your hardware for the next time you login?
Bah, i think i'm rambling now... need coffee... or beer... beer sounds better
And does this fingerprint persist over time? (Score:5, Interesting)
If this fingerprint is orders of magnitude beneath manufacturing controls, are the researchers sure that it persists over long time frames?
Will that graphics card have the same fingerprint the first day it is purchased as it does 2 years later after putting in hundreds of hours at high temperatures playing accelerated games?
Re:This could go either way (Score:5, Interesting)
Or how much of a pain would it be for me to clone your hardware uniqueness and impose it into a virtual machine with software representing hardware?
Now instead of tricking you into installing malware, I just need to convince you to create an account.
Re:steal my pc to become me? I don't think so. (Score:3, Interesting)
Not entirely true. Good security is based on 3 things:
- something only you have (your graphics card, a physical key)
- something only you know (a password)
- something only you are (biometrics, typing patterns)
As it stands today you usually have one of those things, the password. Adding in something difficult to spoof as the summary suggests is an improvement. So now you have to have a password and a graphics card with certain flaws.
I agree with your sentiments though. This is an interesting idea but seems awkward to implement.
From the perspective of the one doing the verification, that's something you know, something you know, and something you know.
Nobody comes out and physically inspects your graphics card or looks at your thumb print or asks you to present a key fob.
They all ask for the numbers programs of devices output. Keyfobs generate a specific code at a given time. Biometric scanners generate a hash given a specific input or any similar input. This GPU scanning program will do the same. These things are hard for an attacker to know, but they're not much better than a password. Someone can know your GPU fingerprint, your retina scan, or your keyfob's info in the verifier's database in much the same way they can know your password. Your shit gets hacked, the verifier's shit gets hacked, someone attacks you locally, someone is MITMing your ass, etc.
Good security is based on 1 thing: A human physically inspecting another human for each and every access request.
We don't have good security policies on the internet. We have very good security policies wherever rich and powerful people give a shit - bank vaults, nuclear missile silos, celebrity weddings. Good security is not possible on the internet because people refuse to pay or wait.
For most users, it goes like this (most important to least important): Cost, convenience, ability to spy on the ex or that bitch whore Tammy, peace of mind, weather bug and desktop buddies, security.
Re:Actually I think it's SRAM... (Score:5, Interesting)
The WPI report confirms what most everyone suspects: Reading from an uninitialized SRAM returns mostly noise, about 50/50 (but not exactly) 1's and 0's, and highly dependent on temperature. I think what they're saying is something like "Look at uninitialized memory, whose values are apparently random 1's and 0's, and somehow compute a unique fingerprint that is stable for this device, but different from all other devices". I'm not sure that's actually possible. I can't think of anything on chips that would produce "random"-looking data and which wasn't highly temperature dependent.
Even if a clever algorithm could "fingerprint" an SRAM device, others have already pointed out all the ways to break this. It's simply a slightly more complex MAC address, and will likely be easy to effectively clone. It's like printing a password on paper in special red ink that only you have, and then saying no one can log in to your system (by typing the password) since they can't replicate that red ink. Umm, the special red ink is a red herring. All you need is the password.
I don't think there's really anything here. There's no details at the PUFFIN site.
fingerprints (Score:4, Interesting)
Why is the first thing I thought about when I read this "another way for the MPAA/RIAA to track down copyright violators so they can send drone strikes"?