Depends if SSL is installed, right?
If you are running any kind of admin section, all the traffic to that area should be done over ssl, you never know who might be listening .

<quote>

How about keypair auth via a website? Simply point it to a file that contains your key, which gets uploaded to the server and validated. If it's an invalid key, no go.

By the way, this isn't some lame attempt at security through obscurity is it? </quote>

I like the idea, but wouldn't want it to depend on something extra to be installed on the server, like gnupg, because I'm not expecting all the users of the CMS to have admin on their server. Could probably still work though
That is how ssl client side certificate authentication works .

All in all after read this thread, form based authentication, with user names and passwords would still be best and probably you’re most secure option. Having said that is does rely on the auth being set up correctly.
i.e. the use of strong passwords,
not giving and information away in error messages (One static message is the best way to go),
account timeout for wrong attempts ( not account lock out, as it can be used as a DOS attack),
correctly validating all data sent from the client (not going to go into that or I will be here all day),
Storing all information about the client, like who they are and what rights they have etc in session scope variables.
etc, etc

let us know how you get on Soda_Popinsky.

SittingDuck