Cheat sheet: Access management solutions and their pros and cons

Risk Level: HIGH

• Easy to implement and commonly used for both network and system access.
• Users are most familiar with user ID and password systems than any other authentication system.

• Passwords can be guessed if based on common words or names.
• User IDs and passwords can be easily stolen with freely available hacking tools, or by Trojans and keystroke loggers.

Risk Level: MEDIUM

• Easy to use system requiring only a small token displaying a changing PIN or password.
• Provides an extra layer of security to a user ID and password. Like a user ID and password, can be used for both network and system access.

• Can require significant development effort and require additional hardware to implement.
• Proliferation of tokens for multiple systems can be a problem.
• Susceptible to MITM attacks.
• If the user ID and password are compromised and then the token stolen, a malicious user has full access to the system.

Risk Level: LOW

• Smartcards are portable and easy to integrate into a two-factor authentication system. They can be used for either network or system access.
• They can safely hold and store lots of data, including encryption keys and other user authentication information.

• Still not widely used because of the effort and cost to install readers on user's desktops.
• There are tools that can sift data and authentication credentials from stolen smartcards.

Risk Level: LOW

• One of the strongest access management technologies - it's nearly impossible to steal someone's iris scan, face pattern or fingerprint.
• Best used as the second factor in a two-factor system to augment a user ID/password or smartcard system.
• Best used for physical access to a system, but use is increasing as a stand alone authentication system for network or system access.

• Requires significant hardware cost to implement.
• The technology still isn't foolproof and is subject to false readings.

Risk Level: MEDIUM

• Behind the scenes system that is passive and invisible to the user.
• Requires no action on the user's part.

• The distribution and implementation of DCs can be costly and require the set up of an internal PKI system.

Risk Level: LOW

• Provides a highly secure and encrypted private tunnel for connecting to the corporate network through the internet.
• Proven technology with a choice of suppliers offering reliable implementations.

• Can just as easily be a secure connection for malware from an infected PC connecting from outside the network.
• If not configured properly for laptop users, a stolen laptop can be used for network access.

Risk Level: LOW

• Proven technology with strong 128-bit encryption for transactions from websites.

• On rare occasions, SSL has had vulnerabilities that hackers can take advantage of.
• Only encrypts the transmission itself and not the data flowing through the SSL tunnel, allowing malware, as well, to be sent "securely" to the web application server.

Risk Level: LOW

• Provides an extra layer of protection by requiring two types of authentication. For example, user ID and password, and OTP token. If one is breached, the other is still intact and provides protection.

• Requires additional software or hardware to set up two different authentication systems working in tandem.

Risk Level: MEDIUM

• Easy-to-use system that requires only one password to access multiple systems, replacing separate passwords for each system.

• If compromised, the attacker has the keys to the entire castle.
• Requires costly software and hardware installations and upgrades.
• Since it basically uses a single user ID and password, it has the same potential to be hacked as a user ID and password.