> > Our only concern is with their "web hosted" model (where the system > is managed via servers in Brivo's data centers) in that it requires > only username/password authentication to access the management UI. > We've stated that we would be concerned about using that model without > the addition of two-factor authentication, or at least a way to allow > access to our admin account only from our known IP addresses. > > > ... > > > For that kind of security, authenticating by IP address is a Bad Thing. > IP addresses can be faked. A username/password over HTTPS can be more > secure than authenticating via IP address. For that matter, can they > authenticate to a certificate on your Web browser?
I think he meant - use the username/password authentication, but only if the client is coming from a specific IP address. All other IP addresses are auto-denied (or better yet, never even see the login page.) AKA, user/pass authentication AND IP based authentication. An additional layer. If you want to call it a layer. _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
