Remember me on login now remembers each computer/browser you use independently. It also no longer stops remembering you if you change networks, provided the IP address is one we have seen before. (If you already had remember me turned on, I’m afraid this change means you will have to log in next time, but you should then find it stays on more).
If you lose access to your two-step verification (aka two factor authentication, or 2FA) app, Cameo now offers two alternative methods for the second verification.
If you log in from an IP address we have not seen before, Cameo now sends you an email to let you know (so if it wasn’t you, we can do something about it).
And just a reminder that you have the option to log in without a password:
- using a fingerprint reader, face ID, or a physical key
- either in your browser or using your phone as a separate authenticator device,
- with or without remember me and/or 2FA.
Background
The remember me tick box on log-in keeps you logged in on the computer you use it on. It is, however, fairly conservative. In particular, it would require logging in again if your IP address changed. For example, if you take your laptop between home and work, or if you alternated log-in between different computers.
This is because the information needed to do this is stored in a cookie. If someone were to steal the cookie, and precautions were not in place, the thief could log in as you. The cookie is as powerful as your password.
In practice, this is very unlikely. Your browser protects these cookies so that an intruder would usually need to have physical or remote access to your computer to steal them. A script injection attack or rogue extension would not be sufficient.
Remember me still forgets you if you do not use Cameo for 30 days. We also cancel it if you deliberately log out (but now only on that computer).
Two-step verification uses an app, such as Google Authenticator, to require a second password generated by the app (which changes on each use), as well as your main password. If you lost access to the app (for example, if someone stole your phone), previously you could only request a password reset, which also turned off 2FA.
“Remember me”
Now, remember me remembers you separately on multiple computers. If your IP address (usually the network you are logging in from) changes, we only invalidate it if the IP address is previously unknown.
This means less logging in for you as a valid user, but only slightly relaxed precautions against identity theft. (If an attacker does have physical access to your computer, chances are they would have access to pretty much everything anyway).
Some providers change your domestic IP address from time to time. BT, for example, seems to change it every few weeks, while Virgin Media keeps it unchanged more-or-less indefinitely. On mobile networks, you will often get a new IP address each time you connect. When this happens, Cameo invalidates your remember me: it can’t distinguish that from any other unfamiliar IP address.
Two-step verification
Resetting your password no longer turns off two-step verification.
Instead, when you turn this on initially, in profile → two-step verification, Cameo provides you with ten codes to let you in if you don’t have access to your authentication app (Fig 1). Store these safely. You can only use each code once. Simply type or paste a backup code in place of the one you would use from the authenticator app.
Additionally, at that step, you can also ask for an email containing a new, one-time code (Fig 2). As with the pre-prepared backup codes, you can only use this once. Furthermore, you must use it within ten minutes of sending.
If you already have 2FA turned on and would like to obtain backup codes, delete the old account from the authenticator app, then turn it off and on again.
