In the past few months, we’ve implemented various security measures such as rate limiting, browser inspection, captcha and CSAM monitoring. Here’s another: Login Geolocation.
Currently, the LexBlog platform keeps track of your IP address when you sign in. This is so we can detect if you’ve never logged in from that IP before. If not, we send you a warning email. It’s then up to you to review this email, review your IP address and confirm it’s a legitimate session.
While I like this solution for its simplicity, it has two drawbacks:
- For many non-technical bloggers, IP addresses are not a meaningful piece of information. This warning means virtually nothing at all to them.
- Many users have an internet connection that uses dynamic IP addresses, so therefore they get these warnings every time they sign in. They (understandably) ignore them.
A better pattern would be to check physical location, also known as “geolocation,” as opposed to IP address. It addresses the two flaws above:
- Non-technical users understand that a far-flung country is suspicious.
- Even the most well-traveled blogger is not going to move around the surface of the earth as fast as a DDOS attack. Therefore they will not get a significant volume of false positives from their normal work/home/travel routine.
It’s worth noting that geolocation is not exactly perfect. It can be off by a few cities. In most cases, it will report your city or a directly neighboring one. If it misses, it will likely miss to the same city each time, and you are likely already familiar with what city that is, because most web platforms use the same geolocation software and provide the same hits and near-misses.
That small drawback is far preferable to the issues we are facing currently. The false positive problem is so significant that many users filter these warning emails, or have even gone so far as to request that this security feature be disabled. If you, dear reader, fall into that category, please consider reversing course.
Login geolocation will be a helpful security measure, but actually it’s just a stepping stone. We plan to build on this work and eventually graduate to a flow where the user is blocked altogether when logging in from a new location, until he clicks an approval link in the warning email. We plan to continue with that roadmap in early 2022.