This is MUST when the admin interface starts growing. Currently it is minimal, so there is no need to have anything more complex.

But as soon as we have 3 different admin views, this is something needed.

A simple cookie based authentication should be enough with a fixed credentials in settings.py? I think bot "admin user" management is too much in this point?

Shure, I don't want to support LDAP authentification for that :)
Actualy, we got SHARED_SECRET in settings.py. We can implement some decorator for marking views as administrative. And check some session key if user is 'logged in'. Not a rocket science :)

There is working example in Flask documentation: http://flask.pocoo.org/docs/patterns/viewdecorators/#login-required-decorator
Or we can use ready to use module http://packages.python.org/Flask-Login/