The network restrictions surrounding the web authentication service is one layer of defense. Is that
sufficient?