We now email you a security alert about an unfamiliar login if you use a different computer or browser for the first time, as well as a different IP address.
Contents
Background
Previously, Cameo used to send you a security alert when you logged in via an IP address where no one had used Cameo before. We did this so that if someone unauthorised manages to log in as you from somewhere else, you get to know about it.
However, this method generated too many false positives. That meant important messages started being ignored routinely.
- Increased use of Cameo via phones and tethered laptops on the move, where IP address changes each time
- BT seems to change IP address every time a computer makes a WiFi connection, even if it has seem that computer before.
What happens now
Now, we alert you when you use a different browser (after your first ever login, and if the IP address is also not one we have seen before).
That means if you carry a laptop around, you won’t be alerted when you join a new network any more, whether mobile or fixed. However, if you use a different computer (say home and office), you will receive an alert for the second computer the first time you log in there.
Caveats
what counts as a “new” browser?
If you change browser on the same computer, we send an alert. For example, you switch from Chrome to Firefox.
However, most browsers also have a mechanism where you can change identity. Each identity operates completely independently, similar to a different login on the same computer. Both of those count as different browsers, so produce alerts. However, each identity remembers logins from session to session so you would not receive further alerts.
Guest or incognito browser sessions behave as if they had an entirely new identity each time they start. So you would get an alert each time you re-open such a session and log in to Cameo.
when does an IP address differ?
The IP address that Cameo sees for you is sometimes shared by a whole network, depending on the provider. This is particularly the case for older-style IPv4 addresses, which are in short supply.
Therefore, if you use a different computer in the same office or home network you may or may not get an alert. This depends on whether the IP address Cameo sees for you is also unfamiliar.
Some providers (e.g. BT) change the network IP address regularly and use IPv6 (which means every computer has its own global IP address, which also changes routinely – which is not supposed to happen using IPv6, but it does).
Others (like Virgin Media) only rarely change and do not yet offer IPv6, so all computers share a more-or-less static IP address. So you won’t get an alert if you use a new computer in the same Virgin Media network.
Toob customers get a fixed IPv6 address for each computer. So there, you would get an alert on a different computer in the same network.
browser/login combinations expire
To avoid accumulating ever-increasing records of browsers and logins indefinitely, we remove unused ones. We forget about a browser login after ninety days. If you don’t login using a particular browser for that time, we treat it as unfamiliar and send an alert.
“remember me”
If you have remember me turned on, that counts as a login for this purpose. So even if you rely entirely on remember me over a long period, you won’t get a security alert after ninety days.
However, remember me itself only works on IP addresses we have seen before, so you must log in explicitly when you connect on a new address. That is so that if your device is stolen, the thief does not remain logged in indefinitely. Of course, if your email remains logged in they can just do a password reset. If your password manager is still accessible, then they can just use that. So this is not a panacea, but it helps.
Note that many email systems and password managers also have switches to log out all sessions everywhere. Cameo also has a box to do this when you reset your password. That also now forgets the other browsers you have logged in from.