Restricting who can login remotely

I'm sure there is an obvious answer to this question, but I can't find it anywhere - hope someone can assist me.

I'm trying to find a way to restrict remote logins to Wayknow to only authorised people or machines. I don't mind much how this might be done, whether its by IP restriction, or password, but I do not want to leave Wayknow open to abuse by allowing essentially anyone to connect to end-user machines.

The problem I'm bumping into at the moment is that the use of a 'custom' password (from options->security) would probably work for me, but the password is visible to the end-users, and this is no good as almost all of them when under pressure will provide this password to support people who connect (or to nefarious people connecting).

So, ideally there would be some sort of overarching security possibility:

• Perhaps a password that is not displayed to end-users, but allows those with the password to connect. It doesn't have to be an unattended connection, I'm fine with allowing end-users the ability to see that IT is connecting to their machine, and even have them agree to it (via PFP), but the only external people connecting should be 'preauthorised' by way of a password
• Alternatively, connection IP restriction? Not immune to some fancy spoofing efforts perhaps, but still a pretty good blocker to an untargeted attack
• Preset certificates? Install obviously on both the end-user machines and the IT systems who would be doing the remote connecting. I see mention of Wayknow using certificates, but this seems to be largely undocumented insofar as I can see and may be related only to tunnel encryption??

I'm open to interesting work arounds as well. Anything really to keep the chances of a nasty remote connection down. I'm using security through obscurity at the moment and thats never good.