In the quest for the best way to prevent internet “baddies” from getting a hold of your important private information, researchers from the “Physically unclonable functions found in standard PC components” (PUFFIN) have discovered that certain functions that are performed by your PC are unique to your PC, meaning that if these functions can be recorded and saved they could potentially be used to replace standard login prompts. They would essentially function as a computer “fingerprint.” By using these specific processes, you can link accounts directly to the computer that is used to access them. This would be great for institutions where their employees should only have access with their work machines; accessing share folders, and internal network locations. As good as this method sounds, it is not a catch-all and has some inherent problems that will need to be addressed before the technology can be implemented.
The 1st issue that comes to mind is if the user has multiple devices that all need to connect to one account. If the website in question is only configured to be accessible from one machine, then the user is tied to that machine. There are two potential solutions to this: have an account that stores the fingerprints from these satellite devices and is only accessible from one “main” or “base” computer. Or somehow associate all of these devices with the website or network resource in question.
The 2nd issue is physical theft. If the only authentication that resource is looking for is the “Unclonable functions” anyone that has physical access to the device will be able to access the potentially private information. I think this is the biggest problem that PUFFIN faces. There would need to be a way to disable the authentication remotely with another linked device. Any other method would face the same hardships as our current methods of verification.
The 3rd issue that I thought of is upgrading or changing hardware. If a user has set their websites to authenticate based on the “Unclonable Functions” of their RAM, and then decides to upgrade their RAM, now there wont be anyway to access those websites. This issue is of most concern to machines that break. Even if there was a way to allow for upgrades, you would still need to authenticate somehow. If the machine that authenticates is broken then the user is stuck in the mud. A way around this is having a call-center or customer support service that can reset these authentications, but this will succumb to the original issues that a standard user name and password faced.
I think this is a good concept that will require more research and thought on certain issues. If all of these bugs are resolved in some way to create either a hybrid authentication (User/Pass and Hardware fingerprint) or a straight Hardware based authentication, this system could be very secure and robust, but in its current form, there are too many issues that turn this potentially successful authentication system into one that has the same problems as our current systems.