We have changed how we identify trusted networks and computers.
We now email you a security alert about an unfamiliar login if only you use both a different computer or browser for the first time and a different IP address.
“Remember Me” on login should be more reliable now.
Contents
Background
Previously, Cameo used to send you a security alert when you logged in via an IP address where no one had used Cameo before. We did this so that if someone unauthorised manages to log in as you from somewhere else, you get to know about it.
However, this method generated too many false positives. That meant important messages started being ignored routinely.
- Increased use of Cameo via phones and tethered laptops on the move
- BT seems to change IP addresses fairly often
- Windows changes IP address in a IPv6 (modern) network very frequently
“Remember Me” also only works if your IP address remains the same, so on a Windows PC in an IPv6 network, it was not very useful.
What happens now
Now, we alert you when you use a different browser (after your first ever login, and if the IP address is also not one we have seen before).
That means if you carry a laptop around, you won’t be alerted when you join a new network any more, whether mobile or fixed. However, if you use a different computer (say home and office), you will receive an alert for the second computer the first time you log in there.
We also now trust just the first half of an IPv6 address, which does tend to remain fixed, rather than the whole address, which can randomly change, so in effect we trust the whole IPv6 network in the same way we do for most older-style IPv4 networks.
Caveats
what counts as a “new” browser?
If you change browser on the same computer, we send an alert. For example, you switch from Chrome to Firefox.
However, most browsers also have a mechanism where you can change identity. Each identity operates completely independently, similar to a different login on the same computer. Both of those count as different browsers, so produce alerts if you are also on a different network. However, each identity remembers logins from session to session so you would not receive further alerts.
However, Guest or incognito browser sessions behave as if they had an entirely new identity each time they start.
when does an IP address differ?
The IP address that Cameo sees for you is usually shared by a whole network, depending on the provider. This is particularly the case for older-style IPv4 addresses.
Therefore, if you use a different computer in the same office or home network you will rarely get an alert. This depends on whether the IP address Cameo sees for you is also unfamiliar.
Some providers (e.g. BT) change the network IP address from time-to-time, which could trigger an alert if you also happen to change computer or browser at the same time. Others (like Virgin Media) only rarely change so all computers share a more-or-less static IP address. So you won’t get an alert if you use a new computer in the same Virgin Media network.
For IPv6 providers (BT, Zen, Toob, …), the first half of a computer’s IPv6 address changes rarely. We now only count as a change that first half. This also means that when anyone on a IPv6 network has logged in, the whole network is trusted, like older IPv4 networks.
Mobile providers vary in their approach to allocating IP addresses. On the whole, each device should appear like the only computer in a local network and will likely change each time you connect (including if you become disconnected in a railway tunnel, for example).
browser/login combinations expire
To avoid accumulating ever-increasing records of browsers and logins indefinitely, we remove unused ones. We forget about a browser login after ninety days. If you don’t login using a particular browser for that time, we treat it as unfamiliar and send an alert.
“remember me”
If you have remember me turned on, that counts as a login when your session has timed out. So even if you rely entirely on remember me over a long period, you won’t get a security alert after ninety days.
However, remember me itself only works on IP addresses belonging to a network we have seen before, so you must log in explicitly when you connect on a new network. That is so that if your device is stolen, the thief does not get access to a remembered session. Of course, if your email remains logged in they can just do a password reset. If your password manager is still accessible, then they can just use that. So this is not a panacea, but it helps.
Note that many email systems and password managers also have switches to log out all sessions everywhere. Cameo also has a box to do this when you reset your password. That also now forgets the other browsers you have logged in from.