Our CEO is questioning a decision to standardize the RSA SecurID solution for all mobile/remote users. He says that he only needs a name and password to access an Internet site from anywhere/any PC, that contains all the info he requires to participate as a board member of another large USA company. What kind of arguments would you give in defense of our solution, and is their any truly secure way to let remote users access confidential company info from the Internet from any PC with only a name and password?
What you are trying to provide is secure Identification and Authentication (I&A). All I&A consists of one or more of what you know, what you have and what you are. Usernames and passwords fall into the what you know category. SecureID is in the what you have category, and biometrics are in the what you are category.
If you are not encrypting your connections, a simple username and password are not secure, as they are both sent in plaintext where an attacker could capture the username and password and then masquerade as that user. The SecureID, generally used in conjunction with username and password, prevents an attacker from masquerading, even if the username and password is compromised.
If a username and password is to be used alone, at least the authentication part of the connection should be encrypted using SSL or some other means (perhaps a VPN). However, there are other ways that usernames and passwords could be compromised, so using some form of token (such as SecureID) or biometric will be more secure than the passwords.
For more information on this topic, visit these other SearchSecurity resources:
Best Web Links: Authentication/Access Control
Featured Topic: Passwords with power
Dig Deeper on Information security policies, procedures and guidelines
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.