Wave Systems Corp. (fka WAVXQ)

[Countryboy]

Banks and TPMs.

Hopefully the Diebold Case study will bring banks to the party.

steven sprague commented:
March 4th, 2009 at 2:43 pm

Come Join the Party.
The PC industry has taken the first step and now it is time for the banks to join the party.

The foundation of any identity is strong Authentication. Strong Authentication requires strong protection of a SECRET so that when we want to prove we are the person who was enrolled we can demonstrate we are in control of the secret. To secure the secret the best practice is to keep it in a hardware SAFE so the secret can only be used when we want it used. A SmartCard or a USB token is a good example of this type of security for authentication. The problem of course is how do we get hardware in everyone’s hands. This is where the PC industry comes in. Through the work of the Trusted Computing Group, an industry Standards body, 325 MILLION Trusted Platform Modules have been deployed world wide.

This is a hardware security chip that is on the motherboard of all business PCs and it is starting to appear in some consumer PC models as well. This chip is designed to store KEYs that are used for authentication to any and all services. As a user I can have one ID or many. The keys are held in tamper resistant hardware on the motherboard and can not be stolen by Software, Users, Viruses…. A key on a TPM can be made specific to a single user by adding a password to the TPM. This is not a password that goes over the network but is a password that will only work on that specific PC for a specific key. The password is checked by the TPM’s internal logic so that there are no risks introduced by the operating system. If the password matches then the KEY will be allowed to be used by the TPM to authenticate a USER to the service.

Most professional users or Power users that have laptops provided by their business have a TPM. This is now getting to be a big installed base even for BofA. The bank should make it possible to enroll the TPM with the existing BofA applications. This will dramatically reduce the authentication risks. BofA should use this TPM authentication in partnership with Visa 3D secure to eliminate credit card fraud for transactions that are done from the users own PC. BofA should allow federation of this credential to enable users to have secure authentication to other services as well. Finally BofA should use this Identity to enable electronic signing that will make for faster transactions with the bank and others.

The TPM does bind the user to their PC but a user can have keys on multiple computers and the user can carry device that will interoperate with the TPM technology. The point is that a single modification to the authentication systems at BofA can be compatible with hardware that 325 million users already own.
With 325 million TPMs deployed worldwide there is an opportunity to enable a worldwide brand and franchise for multifactor authentication that is a once in a market opportunity. Banks have a unique opportunity because of their bricks and mortar but it will not last for long. With myspac, facebook and google are interested in identity BofA would have to wake up and execute.

For Many TPMs are a new technology and their impact it’s not yet well understood. My company Wave Systems Corp has shipped more than 45 million copies of software to enable the TPM. It is a powerful piece of the identity puzzle and it is a global standard. As the applications take advantage of it perhaps we will be able to put the concept of a User ID and Password into the Science museum next to the floppy disk both cool technologies that are part of the history books.

Steven Sprague
CEO
Wave Systems Corp.

P.s. All internal computers at BofA have TPMs including all of their recently acquired banks as well. They will secure your VPN, Wireless, Core Network, Branch Banks……
http://futurebanking.bankofamerica.com/thinking-identity_632