I am not requesting a feature improvement here as we have enough ideas waiting to be implemented.
But I am curious to hear feedback from others including the developer on improving security of Manager Accounting from being hacked into given that so many systems have been breached due to weak passwords etc.
Currently I use Server Manager and have IP address restrictions in place so only myself and my accountant can access Manager as I have whitelisted my IP address and his IP address. So I think that is as secure as we can get it. I don’t think that I can improve much on that.
But I was wondering whether it would make sense for Manager to include the ability to restrict based on keys and certificates such as would be used in ssh connections etc. This would make it easier for employees to access Manager on site at client as I can imagine whitelisting dozens of IP addresses may not be practical for companies bigger than me. Requiring a key/certificate would make it hard if not impossible for a hacker to breach the system, whilst still practical to implement for bigger companies.
Best security practice dictates that one should know something and have something. So you know the password and you have something like a key, hardware disk etc. I think that IP whitelisting would fall under the have something category. Unless I have missed it, Manager does not even have two factor authentication, although I must admit two factor authentication can end up being more trouble than it is worth.
Another suggestion I could make is integrating with HaveIbeenpwned website to prevent people from using weak passwords as weak passwords are the biggest security flaw in online systems. For myself, I am already ok there, but I don’t know if my accountant is using a secure password for example.
I would be interested in people’s thoughts on the subject. I do think that Manager needs some kind of MFA.