Using physical computer hardware in place of passwords



In the quest for the best way to prevent internet “baddies” from getting a hold of your important private information, researchers from the “Physically unclonable functions found in standard PC components” (PUFFIN) have discovered that certain functions that are performed by your PC are unique to your PC, meaning that if these functions can be recorded and saved they could potentially be used to replace standard login prompts. They would essentially function as a computer “fingerprint.” By using these specific processes, you can link accounts directly to the computer that is used to access them. This would be great for institutions where their employees should only have access with their work machines; accessing share folders, and internal network locations. As good as this method sounds, it is not a catch-all and has some inherent problems that will need to be addressed before the technology can be implemented.

The 1st issue that comes to mind is if the user has multiple devices that all need to connect to one account. If the website in question is only configured to be accessible from one machine, then the user is tied to that machine. There are two potential solutions to this: have an account that stores the fingerprints from these satellite devices and is only accessible from one “main” or “base” computer. Or somehow associate all of these devices with the website or network resource in question.

The 2nd issue is physical theft. If the only authentication that resource is looking for is the “Unclonable functions” anyone that has physical access to the device will be able to access the potentially private information. I think this is the biggest problem that PUFFIN faces. There would need to be a way to disable the authentication remotely with another linked device. Any other method would face the same hardships as our current methods of verification.

The 3rd issue that I thought of is upgrading or changing hardware. If a user has set their websites to authenticate based on the “Unclonable Functions” of their RAM, and then decides to upgrade their RAM, now there wont be anyway to access those websites. This issue is of most concern to machines that break. Even if there was a way to allow for upgrades, you would still need to authenticate somehow. If the machine that authenticates is broken then the user is stuck in the mud. A way around this is having a call-center or customer support service that can reset these authentications, but this will succumb to the original issues that a standard user name and password faced.

I think this is a good concept that will require more research and thought on certain issues. If all of these bugs are resolved in some way to create either a hybrid authentication (User/Pass and Hardware fingerprint) or a straight Hardware based authentication, this system could be very secure and robust, but in its current form, there are too many issues that turn this potentially successful authentication system into one that has the same problems as our current systems.




5 thoughts on “Using physical computer hardware in place of passwords

  1. I’m actually going to disagree with you here. Locking a login to a physical machine is going to continually be a mess however you do it. My computer has changed RAM, hard drive, graphics card, and I even swapped the mobo at one point. I don’t think I’m the usual case, but I do know that RAM and HD swaps are perfectly normal where I work. Besides, any signal your computer sends can just be sent another way. Perhaps I’m misunderstanding the technology, but even if the hardware functions differently, can’t I just look at the right computer’s output and parrot that?

  2. What happens if you were to fry your graphics card? You could replace it but then your passwords wouldn’t work. I mean it’s a cool technology but remembering passwords isn’t that difficult. And wouldn’t people be able to obtain your finger prints because it would be stored on your computer. I guess that could make it easier for the police to catch criminals.

  3. I think this is a good idea in theory, but has many faults. Your computer could break, you could change components, etc. This might be a good solution for the government or corporations that want certain items to be very secure and only accessed from internal devices. Another solution that is possible is a device that people carry around with them (such as a USB device) and have to plug it in whenever they want to authenticate. This could be a simple and convenient way for people to authenticate with systems, as long as they don’t lose the device or have it stolen.

    • I agree with what you said about it being more useful for the government or large corporations. The part about the USB though seems somewhat counter productive because if you could authenticate with something as vulnerable to theft as a USB you might as well not use technology that has that many faults and downsides.

  4. I guess this just comes down to how much security you want on your machine. While I agree it is super secure, I definitely wouldn’t want this on the off chance I change the hardware I’m using. The analogy that one of my old professor’s brought up comes to mind. If I want to ensure I can’t have my car stolen I can encase it cement, but now I can’t use it either.

Comments are closed.