Graphics Cards: the Future of Online Authentication?

Gunkerty Jeb writes "Researchers working on the 'physically unclonable functions found in standard PC components (PUFFIN) project' announced last week that widely used graphics processors could be the next step in online authentication. The project seeks to find uniquely identifiable characteristics of hardware in common computers, mobile devices, laptops and consumer electronics. The researchers realized that apparently identical graphics processors are actually different in subtle, unforgeable ways. A piece of software developed by the researchers is capable of discerning these fine differences. The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them. Thus, the fine-grained manufacturing differences can act as a sort of a key to reliably distinguish each of the processors from one another. The implication of this discovery is that such differences can be used as physically unclonable features to securely link the graphics cards, and by extension, the computers in which they reside and the persons using them, to specific online accounts."

steal my pc to become me? I don't think so.

see subject.

What about people with a multiple machines ?

[SirGeek]

I have a home Linux machine, my wife's machine, my laptop and my work machine.

How can I share my authentication amongst them ?

Nice way to sugarcoat it

[Hentes]

Why not just admit that they've found the unbreakable DRM? Online authentication is a solved problem.

Re:Nice way to sugarcoat it

The order of magnitude of these differences is so minute, in fact, that manufacturing equipment is incapable of manipulating or replicating them.

Don't worry; if it's well-defined enough for software to use, it's well-defined enough to emulate.

There is no unbreakable DRM.

Why not use MAC address?

[aaaaaaargh!]

You can feed false information to the software that reads the characteristics of a graphics card just as you can fake an MAC address. I fail to see a substantial difference.

Re:This could go either way

[0racle]

I often buy my video cards second hand off ebay. I wonder who's accounts I'd be able to get into one day doing that.

Re:Doesn't matter if something gets in the middle

[viperidaenz]

... which is something explicitly mentioned in TFA.

The more difficult question to answer at this point, she said, is whether someone could use software to emulate the differences in behavior between graphical processing units. Lange said the key is finding a way to guarantee, in an authentication process, that the party attempting to authenticate a user is communicating with an actual GPU and not software attempting to replicate its behavior and uniqueness

Re:This could go either way

[mangobrain]

I was thinking the exact same things. Identifying the hardware is fundamentally different from identifying the person currently using it, and being able to state unequivocally that they are authorising whatever action is taking place. Plus, as you said, hardware gets upgraded. Even worse, though, is that hardware also fails; particularly high-end GPUs nearing the end of a life spent being slightly too hot. Unexpected hardware failure could leave users with no overlap in the usable life of old & new components, meaning they cannot log in to existing accounts in order to register the fingerprint of the new hardware. Also, unless there's a hidden cache of documents I'm missing somewhere, I can't find any details of what these "unclonable functions" actually are, just that they exist. Are they robust against simple replay attacks?

This all smells like a bad idea to me; something cooked up by a bunch of theorists with very little grounding in practicality. Not sure what part of this could be a "good thing", to be honest.

That makes sense.

[overshoot]

Every time I upgrade my graphics card, all of my games stop working.

I'm sure that there's something wrong with this, but I can't put my finger on it.

Re:Revocability of biometric identifiers

[Altrag]

That's why you have multiple methods:

- Something you have can be stolen.
- Something you know can be coerced from you, retrieved via social engineering (ie: knowing your mother's maiden name or whatever), or whatever else.
- Something you are can be duplicated by replicating you (or at least, the portion of you that the scanner cares about.)

Its still not perfect -- its entirely possible that somebody will just kidnap you while you've got your physical token on you -- that covers two of the three. And unless you're extremely stubborn and motivated, it probably wouldn't be hard to coerce most people's passwords either.

The easiest from a computer perspective is the password -- that's why its the most common/used.

Security tokens are rapidly becoming available for many systems (especially with the advent of cell phone authenticators since everybody already has a cell phone -- you don't need to purchase/obtain and carry around however many additional trinkets.)

Biometrics is harder. First of all, biometrics itself isn't extremely accurate. Its good enough to limit possibilities but for really secure applications, you still want a person to go in and confirm (or pick from a list, as in a police database search) to ensure that you've got a match. Not that people aren't fallible as well, but at least there's someone to blame.

Secondly, biometric scanners aren't all that common yet. If touch screens become high enough density then perhaps they could be used for fingerprint ID. Cameras are likely already good enough to be used for retinal scans, but it would require the user to position the camera at the correct angle and whatnot which is pretty implausible if they're just loosely holding it in front of them (that's why real retinal scanners, including your optometrist's tools, have headrests -- they keep your eyes in relatively the correct position while its scanning.)

So we've got one.. we're moving towards two.. I think three-tier authentication is a while away yet though.