[trout]

This is true - RADIUS and TACACS are the most secure way to access routers. I've found that nearly all routers in nearly all environments still have a local authentication. If you were to remove all network connections (or just the right one) you no longer have access to the authentication server and you would be totally locked out of the box since it doesn't cache any of the authentication. The running configuration of the router IS what you have to secure, and it needs to be stored under lock and key (SFTP, authenticated file share, etc). If you're sending it to non-shared parties you should remove the authentication from the configuration either manually or with 'show run brief'.