Intel's Secretive Hack-Proof Authentication Scheme Is Now Ready To Be Hacked

Last September, Intel announced the sixth generation of its processor core family, what the CPU giant then declared to be a "turning point in people's relationship with computers." In addition to a hardware-level optimization for the Windows 10 operating system, Intel promised half-second start-up times together with 2.5 times the processor speeds, three times the battery life, and 30 times the graphics performance of "computers many people currently own" (defined in the fine print as a five-year-old Windows 7 PC running on a Core i5 processor).

Less hyped in the September announcement, or omitted completely, were the new processors' security features, particularly a new hardware-level authentication feature known as Intel Authenticate Solution. This is a two- or three-factor user authentication system that Intel claims is unhackable thanks to its implementation in physical computing hardware rather than the computer's operating system, which is itself basically a big bunch of software.

Authenticate is still in development, but business users can preview and test the new features in PCs featuring the new processor architecture starting now, according to an Intel announcement.

That's cool and all, but it's curious that Authenticate went largely unmentioned until the new Intel chips actually hit the market on Tuesday.

The only mention of authentication on the 6th Gen Intel Core processor family's fact-sheet has to do with a Windows 10-specific camera integration and facial recognition scheme. EE Times went as far as to say that Intel, "left out the new hardware it had secretly installed to make business users secure with hardware authentication …"

"Secretly installed" might be a bit much as users couldn't actually buy the chips until Authenticate had been pitched as a feature. And, like a great many things that come packaged with new PCs, users are also free to ignore it.

But what is "it"? Two- or three-factor authentication. You probably use single-factor to protect your devices, where that factor is simply a password. Authenticate would add one or two additional walls, which would be up to the user (likely a business).

"It supports combining a variety of hardware-enhanced factors at the same time to validate a user's identity, including 'something you know' (such as a PIN); 'something you have' (such as a mobile phone); and 'something you are' (such as a fingerprint)," Intel's pitch goes. "You can tailor the combination of hardened identity factors based on what works best for your business."

So, it allows for a combination of biometrics, keys, passwords, certificates (like an SSL certificate), and tokens. Crucially, this stuff is stored within the actual hardware of the processor architecture. This is the interesting part.

What it means, according to Intel, is that security is handled externally to the operating system, at least in part. It protects users by keeping authentication away from users, which means keeping it away from hackers. I guess it'd be like being validated by some firmware, rather than Windows.

Here's the gist of the idea from an Intel white-paper:

Organizationally, it's a well-fortified bonus layer of security shielding a system at the boot-level. Here, underneath the operating system, is where some seriously dirty shit can be done by a hacker—pretty much anything that can be accomplished with root-level access (anything, really). The authentication factors are then what make it actually count.

"Authenticate is a new never before seem capability," Intel Business Client General Manager Tom Garrison told EE Times. "It allows IT [the information technology department of a business] to guarantee the authenticity of a user using two-, three- or more factors, making break-ins from stolen credentials virtually a thing of the past."