Hi Russ, This is very interesting. In this case, we limit failed logins to a fairly small number before the login is disabled so in theory that would prevent dictionary style attacks, even against fairly weak logins. If you think that is flawed, let me know.
We've discussed adding an IP filter, although I was thinking that we would try to do it within the application code rather than at the web server in case someone doesn't have access to the web server configuration. I suppose it could be done in web.config as well (on IIS), but it seems like it would be easier for client to manage to have the IP list within the user's record. It would be nice if we could essentially ban all foreign IPs from admin access (when it made sense for a client), but when researching that a while back it seemed a little tricky. With google style 2 factor authentication, I get the idea of requesting a numeric code in a text message - that doesn't sound terribly complicated. But, I'm sure that people would want to elect to "stay logged in on this computer" and I'm not clear on how best to manage that. Thanks again. Nick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357814 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm