Access to a remote PC is controlled by username and password. Access Remote PC uses Secure Remote Passwords (SRP) technology for authentication and key exchange. See also RFC 2945.

SRP provides the following security features:

1. SRP is safe against snooping. The password is never passed over the network, either in the clear or encrypted.
2. SRP is immune to replay attacks. None of the information exchanged during authentication can be re-used to gain access to a server using SRP.
3. SRP provides mutual authentication.
4. SRP securely exchanges a session key in the process of authentication. This key is used to encrypt the user's login session and protect it from both snooping and malicious active attack.
5. SRP resists offline dictionary attack based on exchanged messages. The traffic exchanged over the network is insufficient to verify a guess of a user's password.
6. SRP offers perfect forward secrecy. A compromised password will not allow an intruder to decrypt past sessions. A compromised session key will not allow an intruder to find out a password. This includes resistance to the infamous Denning-Sacco attack; a compromised session key will not permit an attacker to mount a dictionary attack against the password.

Access Remote PC supports One Time Passwords which are also implemented via SRP. One-time passwords expire after the first use and provide protection against malicious keyboard-scanning software.

In addition to SRP authentication, Access Remote PC supports Windows Integrated Authentication which lets you use password management functionality and security built into the operating system.

You can choose the method of authentication when creating a user account.

When creating a new Access Remote PC account with the Windows Integrated Authentication option, you can specify either a Windows username or a Windows groupname. In case of a groupname, any user within the group will be granted the specified permissions. Domain-level authentication is also supported. Domain should always be specified this way: username@domain regardless of whether you specify a domain user acccount on the server or authenticate with a domain user account on the client.

When an Access Remote PC user is authenticated via Windows integrated authentication, the user will access the file system under the credentials of the specified Windows account. In case of SRP authentication, the file system will be accessed with the credentials under which the Access Remote PC service (or Access Remote PC standalone server) is running.