Ask the Expert

Identification and authentication for secure remote access

Our CEO is questioning a decision to standardize the RSA SecurID solution for all mobile/remote users. He says that he only needs a name and password to access an Internet site from anywhere/any PC, that contains all the info he requires to participate as a board member of another large USA company. What kind of arguments would you give in defense of our solution, and is their any truly secure way to let remote users access confidential company info from the Internet from any PC with only a name and password?


    Requires Free Membership to View

What you are trying to provide is secure Identification and Authentication (I&A). All I&A consists of one or more of what you know, what you have and what you are. Usernames and passwords fall into the what you know category. SecureID is in the what you have category, and biometrics are in the what you are category.

If you are not encrypting your connections, a simple username and password are not secure, as they are both sent in plaintext where an attacker could capture the username and password and then masquerade as that user. The SecureID, generally used in conjunction with username and password, prevents an attacker from masquerading, even if the username and password is compromised.

If a username and password is to be used alone, at least the authentication part of the connection should be encrypted using SSL or some other means (perhaps a VPN). However, there are other ways that usernames and passwords could be compromised, so using some form of token (such as SecureID) or biometric will be more secure than the passwords.


For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Authentication/Access Control
Featured Topic: Passwords with power


This was first published in March 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: