When you turn on your computer there's an even chance that the first thing you'll see is a Phoenix Technologies copyright notice. I've been seeing that message for 20 years now, but never stopped to think about what else Phoenix might do besides provide the basic input/output system (BIOS) firmware to get the parts of your computer talking to the operating system - whether that platform is Windows, Linux, DOS or what have you. If pressed, I might have actually wondered if the company was still around.
It is and what the company is doing is relevant to this newsletter.
I sat down over a pizza with Phoenix Chairman and CEO Al Sisto last week, and he told me what the company was doing to further the goals of identity and access management.
I've mentioned, from time to time, the concept of the "identity of things" (as opposed to the identity of users or persons) and the need to be able to identify those things - in particular, the platform that a given person is using. This is very important when dealing with "graded authorization" (rights granted based on the security of the platform and transport a user logs in from), but it's also important when setting up regulatory compliance scenarios - not only do you need to know which persons might have access to data but also which platforms.
There are numbers associated with computers (IP address, network card MAC address, operating system serial number, etc.) but none are permanently associated with the PC (swap out the network card, or use a Locally Administered Address - LAA - for the card and it appears to be a different machine). But the BIOS is there before everything else. Literally. Turn on the PC and the BIOS goes to work checking the keyboard, disk drives, RAM and more for conformance to the registered configuration. Change anything, and the BIOS will notice.
Phoenix Technologies knows the BIOS. And by knowing the BIOS Phoenix can make the computer platform itself part of a multi-factor authentication scheme: username/password and hardware token in which the PC is itself the token!
According to a blurb on Phoenix' Web site, Phoenix TrustConnector is "a universal CSP (cryptographic service provider) component for Windows machines, incorporating native 'platform sensing' technology to examine the hardware fingerprint of every x86 system and activate the highest trust possible for that system within the context of enterprise or personal security policies." (See http://www.phoenix.com/en/Products/Trusted+Applications/Phoenix+TrustConnector/ .)
What does that mean in English? It means that you can store the hardware fingerprint in the directory and only authenticate the user when the fingerprints match. Of course, you can store multiple fingerprints for each user (desktop, laptop, home, etc.) and you can implement graded authorization depending on which fingerprint is proffered as the second part of a multi-factor authentication.
There's no need for an RFID card, a fingerprint reader, a smartcard or anything else except the computer the user already has (and isn't likely to leave sitting on the dresser at home).
You'll want to read the white paper "Trusted Computing and Seamless Device Authentication for Windows Systems" and further investigate TrustConnector. It could be the simple, yet elegant, solution to your current identity management headache.
http://www.phoenix.com/NR/rdonlyres/87550134-0E3D-47EE-A5D7-572011E8C62D/0/trustconnector_ds.pdf
"Trusted Computing and Seamless Device Authentication for Windows Systems"