One option for keeping an online account secure is using IP restriction. In short, IP restriction limits your ability to log in to computers from a set range of IP addresses.
While IP addresses have long been considered “insecure” for authentication, when combined with other security measures, IP addresses can add another layer of security to your account.
In our article about two-factor authentication, we explain how you can add protection to your online accounts by adding layers of security, called factors. It works the same way that an ATM card with a PIN protects your bank account. In order to prove that you are who you say you are, an ATM requires a card (“something you have”) and a code, (“something you know”).
You can think of an IP address as something you have. It’s a number assigned to your computer by the network, so it can be used as another factor.
Of course, just like an ATM card, a U2F key, a phone, and other factors that are “something you have,” an IP address can be stolen, so by itself, it’s not enough to keep your account safe. But you can combine it with your password or other factors to improve your account’s security overall.
When to use and not to use IP restriction
If you’re already on board with this idea and ready to restrict logins on all your online accounts by IP address, you might want to take a step back first and think about whether IP restriction is right for you.
When you connect to your ISP’s network, they assign you an IP address. However, they might not assign you the same IP address in perpetuity.
On the other hand, if you have your own office, your IT team has probably set up a network for the office itself and your company’s ISP probably provided your company’s network with a range of IP addresses that you’ll have an exclusive right to.
If you’re travelling a lot, if your ISP assigns you a dynamic IP address, and if you can’t guarantee that you’ll always connect from a single IP address or a few IP addresses, IP restriction probably isn’t for you.
However, if you’re managing a company account, to manage your domain name portfolio for example, it makes a lot of sense to add IP restriction to your account login. You can restrict access to a single IP address or to a range of IP addresses used by your office and keep your company’s resources safe.
Implementing IP restriction
Before implementing IP restriction, you should talk to your IT team to make sure that your office has static IP addresses. They’ll know how to check.
Also, in order to add IP restriction to an online account, you’ll probably need your IP address or range in CIDR format. Check with your IT team if you need help getting this information.
Not all online accounts have IP restriction but generally, you would find IP restriction options in the account’s security settings.
For example, to activate IP restriction at Gandi, you should go to “User Settings” and then “Change password & configure access restrictions.”
Once you’ve activated IP restriction, you will not be able to log in to your account from any IP address you didn’t list when you set up IP restriction.
Deactivating IP restriction varies from account to account. At Gandi, you need to contact our Customer care team to deactivate IP restriction if you do not have access to your account.
If you always connect to sensitive online accounts from a single network, like your office network, or several networks with fixed IP addresses, you can protect your account beyond passwords and two-factor authentication by only allowing log ins from only the appropriate network using IP restriction.
This should probably involve consulting someone in your company with more technical expertise than you, but in the end, having another layer of security gives you greater control over your accounts and the important assets or information you may have in it.