10 comments

[ 2.3 ms ] story [ 31.7 ms ] thread
> We decided that "reasonable" was roughly the speed of sound.

I wonder whether they'll remember to bump this up once commercial flights on the Boom Overture start.

Thinking about my own usage patterns, when I'm working from home my laptop is VPNed to somewhere reasonably close lag-wise, but certainly not within 50 miles of my house. Meanwhile my phone is studiously checking my inbox using either the local cell tower or my home WiFi.

So if I go look at my personal access logs, I see myself flitting back and forth across the country constantly. I wonder how they plan to filter out these incredibly common false positives without also clobbering detection of thoroughly-owned (consistently-flitting) accounts.

This is a security product focused on the workplace, so they just need to mark their VPN IPs as trusted, or look at the flow logs between the user’s VPN packets to detect the original IP they’re connecting from.
GrubHub has this problem, kind of I think. If I'm on a VPN GrubHub will often deny access ("invalid password"...). Worse is, logging off of the VPN doesn't immediately help and neither does using another browser. Only thing I can do is wait until it decides to forget. Absolutely frustrating.
That’s almost certainly nothing related to location detection so much as it is the VPN block of IPs being marked as less trustworthy. Then there’s a cooldown on a flagged account that stops you even after disconnecting.
this (practically ubiquitous use of VPNs) is the number one reason sec analysts hate impossible travel alerts lol.

A better technical solution is prevention of access via IP allowlisting and then only allowing specific (Corp VPN) addresses.

So if I'm browsing your site from a VPN, you'll block me because of a datacenter IP. Then when I turn off my VPN to make your site work, you'll block me because I traveled too fast to my new location.
(comment deleted)
Yes, because IP based geolocation is famously accurate.
If they're not checking if it's the same device (or if it's a new device) that's connecting from the new IP, they're not really helping that much. Again, this is where client-based auth (preventative) is better than a spotty, reactive, response.