Skip to content
Cameo: membership organiser
  • Home
  • Features
  • Info
    • Demo
    • Pricing
    • More detail
  • For users
    • What’s New
    • Tutorials
    • Notes

Menu

  • Home
  • Features
  • Info
    • Demo
    • Pricing
    • More detail
  • For users
    • What’s New
    • Tutorials
    • Notes

Login improvements to “Remember me” and two-step verification

Posted by, Cameo on 3 Jan 2023

Remember me on login now remembers each computer/browser you use independently. It also no longer stops remembering you if you change networks, provided the IP address is one we have seen before. (If you already had remember me turned on, I’m afraid this change means you will have to log in next time, but you should then find it stays on more).

If you lose access to your two-step verification (aka two factor authentication, or 2FA) app, Cameo now offers two alternative methods for the second verification.

If you log in from an IP address we have not seen before, Cameo now sends you an email to let you know (so if it wasn’t you, we can do something about it).

And just a reminder that you have the option to log in without a password:

  • using a fingerprint reader, face ID, or a physical key
  • either in your browser or using your phone as a separate authenticator device,
  • with or without remember me and/or 2FA.

Contents

  • Background
  • “Remember me”
  • Two-step verification

Background

The remember me tick box on log-in keeps you logged in on the computer you use it on. It is, however, fairly conservative. In particular, it would require logging in again if your IP address changed. For example, if you take your laptop between home and work, or if you alternated log-in between different computers.

This is because the information needed to do this is stored in a cookie. If someone were to steal the cookie, and precautions were not in place, the thief could log in as you. The cookie is as powerful as your password.

In practice, this is very unlikely. Your browser protects these cookies so that an intruder would usually need to have physical or remote access to your computer to steal them. A script injection attack or rogue extension would not be sufficient.

Remember me still forgets you if you do not use Cameo for 30 days. We also cancel it if you deliberately log out (but now only on that computer).

Two-step verification uses an app, such as Google Authenticator, to require a second password generated by the app (which changes on each use), as well as your main password. If you lost access to the app (for example, if someone stole your phone), previously you could only request a password reset, which also turned off 2FA.

“Remember me”

Now, remember me remembers you separately on multiple computers. If your IP address (usually the network you are logging in from) changes, we only invalidate it if the IP address is previously unknown.

This means less logging in for you as a valid user, but only slightly relaxed precautions against identity theft. (If an attacker does have physical access to your computer, chances are they would have access to pretty much everything anyway).

Some providers change your domestic IP address from time to time. BT, for example, seems to change it every few weeks, while Virgin Media keeps it unchanged more-or-less indefinitely. On mobile networks, you will often get a new IP address each time you connect. When this happens, Cameo invalidates your remember me: it can’t distinguish that from any other unfamiliar IP address.

Two-step verification

Resetting your password no longer turns off two-step verification.

Instead, when you turn this on initially, in profile → two-step verification, Cameo provides you with ten codes to let you in if you don’t have access to your authentication app (Fig 1). Store these safely. You can only use each code once. Simply type or paste a backup code in place of the one you would use from the authenticator app.

Additionally, at that step, you can also ask for an email containing a new, one-time code (Fig 2). As with the pre-prepared backup codes, you can only use this once. Furthermore, you must use it within ten minutes of sending.

If you already have 2FA turned on and would like to obtain backup codes, delete the old account from the authenticator app, then turn it off and on again.

Fig 1: After turning on 2FA, Cameo provides you with 10 backup codes
Fig 2: Get a backup code sent to your email if you don’t have one to hand
Posted in What’s NewTagged Login

Post navigation

← Email tests elsewhere… and check spammyness
Subject access requests →

Subscribe to updates

Quick Start

  • A rapid-fire guide to what Cameo can do and where to look.

Recent Articles

  • CameoCSP WordPress plugin and Cameo Scriptwatch 21 Mar 2025
  • Automatic transactional lists and opt-out from all 11 Mar 2025
  • Payment processors and references 5 Mar 2025
  • Automatically suspend event booking 12 Feb 2025
  • See more about checked-in places in event bookings 12 Feb 2025
  • Box-office-style event bookings and tickets 9 Feb 2025
  • Named areas update 7 Feb 2025
  • Why do I always get the error message “your password reset link was incorrect or has expired” when l go to log in? 4 Feb 2025
  • Re-send email via pending 3 Feb 2025
  • Payment form can create a contact 3 Feb 2025

Categories

  • Getting Started
  • Notes
  • Questions
  • Tutorials
  • What’s New

Subjects

Admin API Apps Attachments Checkin Contacts CSV Custom Fields Donations Editor Email Enrolment Events Filestore Filters Financial Forms Fundraising Gift aid Images Import Lists Login MembershipRecords News Builder Notifications Optout Payments Questions Reconciliation Renewals Reports Searching Security Signup Social Media Stationery Stripe Substitutions Tags Templates Trading UI Version10 WordPress
Cameo is produced by David Earl.