Restricing Access to Manager, via certifcates and keys etc

I am not requesting a feature improvement here as we have enough ideas waiting to be implemented.

But I am curious to hear feedback from others including the developer on improving security of Manager Accounting from being hacked into given that so many systems have been breached due to weak passwords etc.

Currently I use Server Manager and have IP address restrictions in place so only myself and my accountant can access Manager as I have whitelisted my IP address and his IP address. So I think that is as secure as we can get it. I don’t think that I can improve much on that.

But I was wondering whether it would make sense for Manager to include the ability to restrict based on keys and certificates such as would be used in ssh connections etc. This would make it easier for employees to access Manager on site at client as I can imagine whitelisting dozens of IP addresses may not be practical for companies bigger than me. Requiring a key/certificate would make it hard if not impossible for a hacker to breach the system, whilst still practical to implement for bigger companies.

Best security practice dictates that one should know something and have something. So you know the password and you have something like a key, hardware disk etc. I think that IP whitelisting would fall under the have something category. Unless I have missed it, Manager does not even have two factor authentication, although I must admit two factor authentication can end up being more trouble than it is worth.

Another suggestion I could make is integrating with HaveIbeenpwned website to prevent people from using weak passwords as weak passwords are the biggest security flaw in online systems. For myself, I am already ok there, but I don’t know if my accountant is using a secure password for example.

I would be interested in people’s thoughts on the subject. I do think that Manager needs some kind of MFA.

1 Like

MFA is the first answer here. It’s user-friendly and something that is being rolled out everywhere. It’s definitely on my radar to be part of Manager soon.


Cool. I would also consider integrating with a password strength checker website. My email system has recently integrated with one and I was quite shocked how many of my clients staff were using passwords that were breached somewhere in the world at some point in time.

My problems with phones is signal and always having to have your phone with you. Also sim card cloning, so I am not wildly keen on sms authentication which is the most common 2fa.

Anyway good to hear that Manager is getting MFA. I am happy that I can use IP whitelisting as that pretty much is the most secure way to protect against a hack. Or using keys/certificates.