On Wed, Dec 24, 2008 at 08:56:49AM -0600, Jeremy Charles wrote: ... > Our only concern is with their "web hosted" model (where the system is > managed via servers in Brivo's data centers) in that it requires only > username/password authentication to access the management UI. We've stated > that we would be concerned about using that model without the addition of > two-factor authentication, or at least a way to allow access to our admin > account only from our known IP addresses. > ...
For that kind of security, authenticating by IP address is a Bad Thing. IP addresses can be faked. A username/password over HTTPS can be more secure than authenticating via IP address. For that matter, can they authenticate to a certificate on your Web browser? -- /*********************************************************************\ ** ** Joe Yao [email protected] - Joseph S. D. Yao ** \*********************************************************************/ _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
