Comparing Authentication Methods

Applies To: Windows Server 2008, Windows Server 2008 R2

PPP Authentication Protocols

Remote access in Windows Server® 2008 supports the Point-to-Point Protocol (PPP) authentication protocols listed in the following table.

Protocol Description Security Level

PAP (Password Authentication Protocol)

Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation.

The least secure authentication protocol.

Does not protect against replay attacks, remote client impersonation, or remote server impersonation.

CHAP (Challenge Handshake Authentication Protocol)

A challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response.

An improvement over PAP in that the password is not sent over the PPP link.

Requires a plaintext version of the password to validate the challenge response.

Does not protect against remote server impersonation.

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2)

An upgrade of MS-CHAP.

Two-way authentication, also known as mutual authentication, is provided. The remote access client receives verification that the remote access server that it is dialing in to has access to the user’s password.

Provides stronger security than CHAP.

EAP (Extensible Authentication Protocol)

Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types.

Offers the strongest security by providing the most flexibility in authentication variations.