[ITA-715] Login from reserved IP Adresses/ Geoblocking
under review
A
Ailan
How far are you with designing/ implementing ths feature?
It's still 'under review'. But this is way to critical to let it loose.
E
Ed Hammond
This is going to be required by Cybersecurity insurance, so if you can't offer this you're going to start losing customers.
W Rapp
Agreed!
L
Lindsay Webb
I agree. More protection options are really needed.
m
myr
Should be added to the Roles for easy control
R
Robin
under review
Provided dev reference of ITA-715
N
NCT
Robin: How about using a service such as Cloudflare to provide an extra 2FA for logins?
R
Robin
NCT: Please explain what you mean?
N
NCT
Robin: Would this help? https://www.cloudflare.com/en-gb/products/tunnel/
R
Robin
Hi Ailan
We have been talking internally on this topic.
Just to get some more information from you, what do you think about the idea of creating groups of IPs with descriptions which can then be configured to allow or deny access to your tenancy?
The idea is that we would allow users to login, and if login was successful we would then check the IP against your configuration and either give you access or display a not allowed from your IP screen and block access.
A
Ailan
Robin: Hi Robin,
I think that would be great.
In my case I only use one user: me. As the MSP-Admin.
And I only want to login from 1 IP address.
In your setup it sounds great.
Except one thing: "The idea is that we would allow users to login, and if login was successful we would then check the IP against your configuration and either give you access or display a not allowed from your IP screen and block access."
You let the user first login, and AFTER the succesfull login you would check the IP address against the list? So the external user is logged in after all but permission is denied.
I think that it should be around. Just like a firewall:
Only the selected IP addresses should have the ability to get to the login screen.
But I do see your vision. The way around is also an option but has more caveats.
But I'm all ears.. We're just working to a safer and more protected platform ..
R
Robin
Ailan: we initially discussed the idea of having it like a firewall and blocking the ability to load the login screen; but this adds a huge amount of complexity and possibility that the shared login screen would take way too long to load or even prevent other customers logging in.
The other reason for doing it based on your tenant is we could look at future settings to allow with added layers of checking that you could override to access from IPs not on your list.
For example after login you could specify answers to security questions or a secondary MFA code.
A
Ailan
Robin: Hi Robin,
If the way around gives more options then that's also no problem.
The result will be the same.
And if we then can implement a second 2MFA code than that is a welcome feature also.
So please do, implement IP lists and more MFA codes..
A
Ailan
Should I address this issue also on the Xcitium forum?