LogMeIn Pro Security
At LogMeIn, we take the security and protection of your important files, data, and personal information very seriously. Our products are architected with security being the most important design objective. As part of this commitment our datacenters and source code are continually reviewed by independent, accredited third party audit firms to ensure data that your information remains confidential.
All communications by LogMeIn products use industry-standard algorithms and protocols for encryption and authentication. Nobody will be able to see or access the data transmitted between your computers - not even us. This is a summary of the most important security highlights of the LogMeIn Pro products. For more details please see the LogMeIn Security Whitepaper.
SSL/TLS communications
The communications protocol used by LogMeIn Pro is SSL/TLS (OpenSSL). The same protocol is the standard for web-based commerce or online banking. It provides authentication and protection against eavesdropping, tampering and message forgery.
Authentication
LogMeIn hosts maintain a persistent connection with a LogMeIn server. This connection is secured using SSL/TLS. The LogMeIn server's identity is verified using its PKI certificate. The host's identity is verified based on a pre-assigned identifier and a pre-shared secret. These credentials are transmitted by the host to the server over the authenticated SSL/TLS connection.
When a user logs on to LogMeIn.com, the user's browser verifies the identity of the server behind the scenes, using the server's certificate, just like the hosts do. The user in turn authenticates to LogMeIn.com with an email address and password combination, where the password is verified using a hash value (with a per-account unique salt). In addition to the email address/password combination, users can elect to require additional verification steps, such as entering one-time-use codes from a pre-printed sheet or an email message.
Users also need to authenticate to every LogMeIn host they access remotely. This is done using standard operating system credentials that are never stored on LogMeIn's servers. Users can elect to require the use of a personal password or an RSA SecurID two-factor authenticator when logging in to the host, in addition to supplying operating system credentials.
Intrusion Resistance
Authenticating with LogMeIn.com or (in case of a browser left unattended in the wrong place at the wrong time) authenticating with the host can be subject to brute force login attempts by unauthorized users. Both LogMeIn.com and the host employ simple but efficient lockout mechanisms that only allow a few incorrect logins before locking the account or the offending IP address.
Auditing And Logging
LogMeIn.com has granular auditing capabilities available under a user's account security settings. These audit messages will notify users via email when an important change (such as adding a new computer) or a suspicious event (such as an incorrect login) occurs.
Furthermore, LogMeIn.com provides extensive reporting capabilities on past remote access sessions.
The host keeps a detailed event log specific to LogMeIn. It also writes major events (such as a remote access session starting or ending) into the operating system event logs. The host can also be configured to record remote access sessions into video files for later playback.