WCF is more secure than ASMX and insists the basic fact that it never allows you to send plain-text credentials without encrypting those.

You need to ask yourself a few qusetions here:

• how do I protect my messages going from the client to the server, so that the username/password is not sent as plain text?
• how do I check the validity of the username/password once the message arrives at the server?

For the first point, you can do a number of things:

• secure the transport layer, e.g. use HTTPS (with SSL) to protect the entire pipe going from the client to the server. In that case, you don’t have to do much else – the whole communication channel is protected

• secure the message (at least the username/password part) using encryption. In that case, you need to have at least a service certificate on the server, so that the calling client has a shared secret to encrypt the message – or you need to install a certificate on the client (usually not a good idea if you want everyone to call your service)

For the authentication part, you need to decide on:

• using the ASP.NET membership subsystem which already has a user table against which you can validate the credentials provided

• or roll your own from scratch – not recommended unless you really really have to and have a very specific need

WCF security is not an easy topic – you can find helpful information and scenarios on how to do certain things here:

• WCF Security by the MIcrosoft Patterns & Practice group
• Declarative WCF Security by Juval Lowy

With just the few pieces of information you provided, one cannot really give a “do this and that” kind of answer. You need to read up on WCF security and decide on what scenario you want to implement. I’m sure folks here can help you with more specific questions about how to achieve certain things in WCF security, if your questions are more focused on a particular problem / issue.