Quote:
Originally Posted by Vendot
Sure thing but it makes it a lot more difficult and 2FA is only good for one login so its going to severely limit the damage if you access through a phish link.
|
Depends on the site. It may be possible to prolong the session indefinitely (or at least for many hours) if you regularly refresh a page, or send an AJAX request.
Quote:
Originally Posted by Vendot
Good idea. The problem with GEO IP is that it's not very accurate. Once that is solved, you could also limit people by country and that would enhance security greatly.
|
GeoIP could be used to flag a possible hack attempt - if the last 100 logins are from the USA but the account is suddenly logging in from CN or RU there's probably something up - but I was suggesting something more simple: any new IP needs to be authenticated, perhaps via an email link, or better, something like SMS. Would get pretty annoying if you have a dynamic IP that regularly changes, or you're a hipster that likes to work out of cafes with free wifi.
Then again.... I guess people who fall for phishing aren't going to know or care about IP based security. Or 2FA, for that matter.