We now email you a security alert about an unfamiliar login if you use a different computer or browser for the first time, rather than a different IP address.
Contents
Background
Previously, Cameo used to send you a security alert when you logged in via an IP address where no one had used Cameo before. We did this so that if someone unauthorised manages to log in as you from somewhere else, you get to know about it.
However, this method generated too many false positives. That meant important messages start being ignored routinely.
- Increased use of Cameo via phones and tethered laptops on the move, where IP address changes each time
- BT seems to change IP address every time a computer makes a WiFi connection, even if it has seem that computer before.
What happens now
Now, we alert you when you use a different browser (after your first ever login).
That means if you carry a laptop around, you won’t be alerted when you join a new network any more, whether mobile or fixed. However, if you use a different computer (say home and office), you will receive an alert for the second computer the first time you log in there.
Caveats
what counts as a “new” browser?
If you change browser on the same computer, we send an alert. For example, you switch from Chrome to Firefox.
However, most browsers also have a mechanism where you can change identity. Each identity operates completely independently, similar to a different login on the same computer. Both of those count as different browsers, so produce alerts. However, each identity remembers logins from session to session so you would not receive further alerts.
Guest or incognito browser sessions behave as if they had an entirely new identity each time they start. So you would get an alert each time you re-open such a session and log in to Cameo.
browser/login combinations expire
To avoid accumulating ever-increasing records of browsers and logins indefinitely, we remove unused ones. We forget about a browser login after ninety days. If you don’t login using a particular browser for that time, we treat it as unfamiliar and send an alert.
“remember me”
If you have remember me turned on, that counts as a login for this purpose. So even if you rely entirely on remember me over a long period, you won’t get a security alert after ninety days.
However, remember me itself only works on IP addresses we have seen before, so you must log in explicitly when you connect on a new address. That is so that if your device is stolen, the thief does not remain logged in indefinitely. Of course, if your email remains logged in they can just do a password reset. If your password manager is still accessible, then they can just use that. So this is not a panacea, but it helps.
Note that many email systems and password managers also have switches to log out all sessions everywhere. Cameo also has a box to do this when you reset your password. That also now forgets the other browsers you have logged in from.