You could manage the web.config ip filter via cf. You can also have the option to disable 2 factor authentication for a specific computer for 30 days which is a common option, using either a cookie or ip logging.
Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 3 Mar 2014 22:22, "Nick Gleason" <[email protected]> wrote: > > Hi Russ, > > This is very interesting. In this case, we limit failed logins to a fairly > small number before the login is disabled so in theory that would prevent > dictionary style attacks, even against fairly weak logins. If you think > that is flawed, let me know. > > We've discussed adding an IP filter, although I was thinking that we would > try to do it within the application code rather than at the web server in > case someone doesn't have access to the web server configuration. I > suppose > it could be done in web.config as well (on IIS), but it seems like it would > be easier for client to manage to have the IP list within the user's > record. > > It would be nice if we could essentially ban all foreign IPs from admin > access (when it made sense for a client), but when researching that a while > back it seemed a little tricky. > > With google style 2 factor authentication, I get the idea of requesting a > numeric code in a text message - that doesn't sound terribly complicated. > But, I'm sure that people would want to elect to "stay logged in on this > computer" and I'm not clear on how best to manage that. > > Thanks again. > > Nick > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357815 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
