Credentials vs Certificate-Based RADIUS Authentication
Which is more secure? Which has a better UX? Credentials and certificates pros and cons compared.
As an organization scales, there will eventually come a point when a pre-shared key is no longer sufficient for controlling network access. Whether to manage multiple locations or simply to accommodate the growing number of employees, a security-conscious company will eventually need to upgrade to WPA2-Enterprise for their networking needs.
A RADIUS server is the core component that facilitates a WPA2-Enterprise network. It handles authenticating users via the chosen 802.1x policy. The biggest decision you need to make during this upgrade process is which flavor of EAP you will be implementing.
Pros and Cons of Credential-Based RADIUS Authentication
Practically speaking, security is typically a compromise between convenience and protection. If credentials were placed on that axis, they would lean far towards convenience.
Credentials, typically a username and password, have been the standard of authentication for years, even though they’re mostly insufficient.
Credentials rely on ever-fallible humans to remember the username and password and keep it secret, and people are pretty bad at both of those things. The best password in the world is utterly useless if the user falls prey to a phishing scam… not to mention the best password would be practically impossible to remember.
Even if a person doesn’t do anything wrong, credentials can be stolen in over-the-air attacks. A clever hacker can spoof the router or access point and your device will automatically submit the login credentials to the false access point – handing them the keys to your network.
Two of the most common 802.1x policies, EAP-TTLS/PAP and PEAP-MsCHAPv2, can only support credentials.
Pros and Cons of Certificate-Based RADIUS Authentication
Certificates are widely known to be far more secure than credentials, but are often mischaracterized as being complicated or difficult to implement.
Certificates are analogous to a driver’s license or other picture ID. They tie the name/identity of a person/device to the authentication, meaning the network knows exactly who and what is authenticating.
That alone has a number of advantages. Namely, it creates accountability for employees using the network – it eliminates the plausible deniability that shared accounts and shared passwords provide.
Even more important is that it makes certificates the best defense against both phishing and over-the-air attacks. There are no credentials to leak to phishers and even if a hacker manages to intercept your data during authentication, they’d lack the private key that positively identifies the owner of the certificate – rendering it useless.
The increased security is all well and good, but what’s it like for the end users that need to use certificates on a daily basis? Much better, actually.
The user experience for certificates is effortless compared to credentials. There’s no need to remember a username and password. There’s no need to reset your password every 90 days or so in a misguided attempt to maintain security. Certificate lifetimes can be customized by the organization, but it’s common for them to remain valid for upwards of 5 years.
The only 802.1x authentication protocol that supported certificates is EAP-TLS – the most secure option.
Our Cloud RADIUS servers can integrate with any network infrastructure, but we highly recommend using EAP-TLS with certificates. If you’re lacking the PKI necessary to implement certificates, our parent company SecureW2 provides the necessary components to integrate into your current infrastructure without the need for forklift upgrades.
Network security isn’t a “good enough” purchase. Don’t settle for less than the best – utilize Cloud RADIUS’s certificate-based authentication to enhance the user experience and overall security. Click here for more info on pricing.