2

I've read that securing services with client certificates is more secure than using the combination of TLS with basic authentication.

Client certificates have substantial drawbacks in terms of setup complexity and performance, so I'm looking for more specific reasons on how client certificates are more secure, and some examples of situations where they're justified. Thanks!

Dan
  • 620
  • 6
  • 18

1 Answers1

3

A client cert isn't more secure than a (good, protected) password. In general it is better than a password because it is less likely (impossible) to be the same as another cert (contrast with http://xkcd.com/792/ ) and it is less likely (impossible) to be guessed (i.e. it is resistant to dictionary attacks). It may be less likely to be divulged by an end user than a password.

Client side certs are considered "something you have" so that a client cert and a password ("something you know") can satisfy any TFA (two factor authentication) requirements in various regulations.

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • +1, Certs are most useful in Two Factor Auth scenarios; but are also generally more secure because the user isn't typing it in in-front of anybody, or reusing the same password everywhere, and it would be substantially harder to brute force (though rate limiting should take care of that anyway). – Chris S Sep 20 '10 at 23:26