0

Inside our Azure Active Directory, we have 2 options to secure our calls to the Active Directory App:

  1. Secret

  2. Certificate

enter image description here

Which option is more secure and why? Inside our applications which will be calling this App, it either needs to send the client secret or the certificate thumbprint.

Microsoft says in the image above:

For a higher level of assurance, we recommend using a certificate (instead of a client secret) as a credential.

but I am not sure why a certificate is more secure.

Second question, if we assume that the certificate is more secure, then is a self-signed certificate more secure than using a secret?

schroeder
  • 125,553
  • 55
  • 289
  • 326
test test
  • 1
  • 2
  • 6
  • 1
    And the question boils down to "passwords vs certificates" and that's a google search term with a ton of rich results and explanations. – schroeder Feb 05 '23 at 12:16
  • @schroeder i am asking about secret vs certificate and not username/password versus certificate – test test Feb 05 '23 at 12:24
  • 1
    Shared secret is always a shared secret regardless the name. You are really comparing shared secrets with public key authentication. The answer to that is clear. – Esa Jokinen Feb 05 '23 at 13:49
  • @EsaJokinen i am nto sure why i keep getting links instead of a clear answer. thanks anyway for the link will check it – test test Feb 05 '23 at 14:47
  • @EsaJokinen also i am asking about the differences between Secrets and certificate and not user/name vs certificate + i am asking specifically about azure active directory app – test test Feb 05 '23 at 14:49
  • 1
    Why would the answer be different for different applications? The pros and cons are exactly the same. Shared secret is a shared secret: it is known by both parties and transferred during the authentication. – Esa Jokinen Feb 05 '23 at 15:31
  • @EsaJokinen the link talks abut username/password i am asking about secrets + what about my second question `Second question, if we assume that the certificate is more secure, then is a self-signed certificate more secure than using a secret? ` – test test Feb 05 '23 at 15:45
  • @johnGu I don't think you are understanding. It's exactly the same thing ... – schroeder Feb 05 '23 at 16:08
  • The second question is asked separately here: https://security.stackexchange.com/q/268216/70406 – Esa Jokinen Feb 05 '23 at 16:26
  • @EsaJokinen i think this forum is to ask a question you have and get answers ... yes i agree with you `I don't think you are understanding` otherwise i would not ask this question ?? – test test Feb 05 '23 at 16:32
  • @EsaJokinen this post https://security.stackexchange.com/q/268216/70406 is different than my second question here, they are regarding self-signed certificates but have different questions – test test Feb 05 '23 at 16:33
  • @EsaJokinen so why you close this question ? it is not a duplicate to https://security.stackexchange.com/questions/3605/certificate-based-authentication-vs-username-and-password-authentication ~~~ – test test Feb 05 '23 at 16:39
  • Ok, now you are choosing to not understand. – schroeder Feb 05 '23 at 16:42
  • @schroeder and you are choosing to take irrelevant actions – test test Feb 05 '23 at 16:43
  • I'll repeat, yet again: secrets and passwords are the same thing. As for the 2nd part of your question, please limit posts to one question at a time. And you have repeated that part of the question in a completely different post... – schroeder Feb 05 '23 at 16:44
  • @schroeder one question i am comparing self-signed certificate with secrets, the other question is regarding using self-signed certificate in production environments... if they were same question i would not ask 2 different questions.. thanks for your understanding – test test Feb 05 '23 at 16:47

0 Answers0