Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Cheat sheet: Access management solutions and their pros and cons

A cheat sheet of the most common access solutions with a brief description, and their risks and pros and cons to help you choose the solution that is right for your organization.

There are a number of different access management solutions available to security and IT managers these days, and...

the list keeps growing. The following is a cheat sheet of the most common solutions with a brief description, and their risks and pros and cons to help you choose the solution that is right for your organization.

Access management solution Risks Pros and cons
User IDs and Passwords If not properly managed or protected, user IDs and passwords can be easily stolen and provide easy access to your network or systems.

Risk Level: HIGH

  • Easy to implement and commonly used for both network and system access.
  • Users are most familiar with user ID and password systems than any other authentication system.

  • Passwords can be guessed if based on common words or names.
  • User IDs and passwords can be easily stolen with freely available hacking tools, or by Trojans and keystroke loggers.
Key Fobs and One Time Password (OTP) tokens If the value on the OTP token is stolen after a user ID and password are stolen, as in a Man-In-The-Middle (MITM) attack, system access could be compromised.

Risk Level: MEDIUM

  • Easy to use system requiring only a small token displaying a changing PIN or password.
  • Provides an extra layer of security to a user ID and password. Like a user ID and password, can be used for both network and system access.
  • Can require significant development effort and require additional hardware to implement.
  • Proliferation of tokens for multiple systems can be a problem.
  • Susceptible to MITM attacks.
  • If the user ID and password are compromised and then the token stolen, a malicious user has full access to the system.
Smart Cards The possibility of tampering with the card's chip to get user information or login credentials.

Risk Level: LOW

  • Smart Cards are portable and easy to integrate into a two-factor authentication system. They can be used for either network or system access.
  • They can safely hold and store lots of data, including encryption keys and other user authentication information.
  • Still not widely used because of the effort and cost to install readers on user's desktops.
  • There are tools that can sift data and authentication credentials from stolen Smart Cards.
Biometrics In the case of fingerprint scanners, the possibility of copying the user's fingerprint. There's also the possibility of replaying the stored digital data representing the biometric reading.

Risk Level: LOW

  • One of the strongest access management technologies - it's nearly impossible to steal someone's iris scan, face pattern or fingerprint.
  • Best used as the second factor in a two-factor system to augment a user ID/password or Smart Card system.
  • Best used for physical access to a system, but use is increasing as a stand alone authentication system for network or system access.
  • Requires significant hardware cost to implement.
  • The technology still isn't foolproof and is subject to false readings.
Digital Certificates (DC) DCs stored on a user's desktop can be stolen or spoofed.

Risk Level: MEDIUM

  • Behind the scenes system that is passive and invisible to the user.
  • Requires no action on the user's part.
  • The distribution and implementation of DCs can be costly and require the set up of an internal PKI system.
VPNs Though secure, the connection can also be an encrypted tunnel for malware if the PC connecting to the corporate network isn't secure.

Risk Level: LOW

  • Provides a highly secure and encrypted private tunnel for connecting to the corporate network through the Internet.
  • Proven technology with a choice of vendors offering reliable implementations.
  • Can just as easily be a secure connection for malware from an infected PC connecting from outside the network.
  • If not configured properly for laptop users, a stolen laptop can be used for network access.
SSL Credentials can sometimes be stolen in a MITM attack using a proxy server.

Risk Level: LOW

  • Proven technology with strong 128-bit encryption for transactions from Web sites.
  • On rare occasions, SSL has had vulnerabilities that hackers can take advantage of.
  • Only encrypts the transmission itself and not the data flowing through the SSL tunnel, allowing malware, as well, to be sent "securely" to the Web application server.
Two-Factor Authentication The rare possibility that both of the two authentication methods are cracked simultaneously.

Risk Level: LOW

  • Provides an extra layer of protection by requiring two types of authentication. For example, user ID and password, and OTP token. If one is breached, the other is still intact and provides protection.
  • Requires additional software or hardware to set up two different authentication systems working in tandem.
Single Sign On (SSO) If the user ID and password to the SSO system are stolen, multiple systems accessed by the SSO system could be compromised.

Risk Level: MEDIUM

  • Easy-to-use system that requires only one password to access multiple systems, replacing separate passwords for each system.
  • If compromised, the attacker has the keys to the entire castle.
  • Requires costly software and hardware installations and upgrades.
  • Since it basically uses a single user ID and password, it has the same potential to be hacked as a user ID and password.

About the author
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is an expert on Web and application security and the author of available on Amazon.
The Little Black Book of Computer Security
This was last published in January 2006

Dig Deeper on Biometric technology