You can use Secure Network Communications (SNC) to provide for secure authentication instead of using the traditional user ID and password-based authentication.
SNC is available for user authentication when using the SAP GUI for Windows or Remote Function Calls. When using a Web-based user interface (for example, SAP GUI for HTML), then you must use an authentication method available for Web-frontends (for example, X.509 client certificates).
SNC uses an external security product to perform the authentication between the communication partners (for example, the SAP GUI for Windows and the application server). The security measures you need to take depend on the security product you use and the type of infrastructure that it supports. For example, if the security product uses public-key technology, then you need a public-key infrastructure (PKI). You need to define procedures for generating and distributing the key pairs for the users and system components and you need to make sure their private keys are stored in a secure location.
SAP offers such a security product: SAP NetWeaver Single Sign-On.
To prevent misuse of the private keys, you must ensure that they are stored in a secure place. There are the following methods for storing private keys:
Hardware solutions (for example, smart cards or hardware security modules)
Software solutions (for example, Personal Security Environments or PKCS#12 format)
The best way to protect private keys of users is to use smart cards that you issue to each individual user. The keys are saved on the card, and the card is designed to never reveal the private key. Users have to authenticate themselves to their cards, either using biometrics (for example, a fingerprint) or knowledge (for example, a PIN, password or pass phrase entry) and can then use the card to create digital signatures or to encrypt documents. In this case, each user needs to protect his or her smart card from theft or loss.
Do not allow your users to share smart cards or give them to others to use!
On the server, you can use a hardware security module instead of a smart card for higher performance.
You can use a software solution to store the private keys of users. The software solution is not as safe as the use of crypto hardware, but it is less expensive to implement. If you use files to store the information and private keys of users, then you must take extra care to protect the files from unauthorized access.