IP addresses as an auth factor in the era of device roaming and IPv6

Do you regularly visit some websites where the “Remember me” checkbox next to the login form doesn’t seem to work? You’ve to login to the website anew every day or even multiple times per day. There are a lot of potential root causes for why the website or your browser is dropping the session. I’d like to discuss one of these reasons in particular: source-IP-based authentication.

Source-IP-based authentication is a practice originating from the pre-encryption era where most web traffic was sent unencrypted over HTTP. In an attempt to prevent intercepted session tokens from being used by a third-party, servers would tie these tokens to the IP address that initiated the session. The server would invalidate the token if another IP address tried to use it. Even though IP addresses can be spoofed, this was a sensible precaution that raised the bar on what was required to exploit intercepted data.

This security measure made sense when most people only accessed websites and services from one device in one location. Today, however, people have mobile devices and roam from their home Wi-Fi to mobile data to a corporate Wi-Fi network. All major operating systems have implemented the IPv6 privacy extension, which means that their IP address will change at least once per day even if they stay on the same network using just one device.

Today, websites and services rely on encrypted connections (HTTPS) to protect session tokens and keep them private. The risk of interception is thus significantly reduced, and the practice of tying sessions to IP addresses is now causing usability problems as people’s usage patterns and technology have changed but the practice still remains.

Many web platforms and software haven’t been updated to not use IP addresses as part of their authentication metrics. This leads to an increase in the number of times customers have to login to websites on mobile devices, and on IPv6 networks compared to IPv4. It’s frustrating for people to keep logging in all the time, and especially when the login form has an option for “Remember me” that isn’t honored.

Webmail, forums, and other software that predates the fairly recent boom in HTTPS adoption is especially prone to suffer from this problem. For example, people who use the popular Horde webmail platform may be familiar with the error message: “Your Internet Address has changed since the beginning of your Mail session. To protect your security, you must login again.” These kinds of software generally have an option where administrators can disable IP address checks, but as these options are on by default they’re not likely to be changed.

Website administrators may not even be aware of the login problems faced by their customers on IPv6. They may not have IPv6 in their test environments, and their websites may be served through an intermediary proxy that adds IPv6 capabilities after the testing stage.

A research paper that surveyed 9618 IP addresses and compared known locations to locations — as returned by three of the most popular IP address to geolocation service providers — found that IPv6 lookup is significantly less accurate than IPv4. The researchers found that 68,33 % of the IPv6 addresses they tested can be plotted on a map with a radius of 1000 kilometers of their known location. For IPv4 addresses the number was 87,33 %, or 95,5 % if you exclude the most inaccurate provider.

That means that from where I’m sitting right now in Oslo, Norway there’s a 68,33 % probability that I’m in one of 11 countries. I’ve experienced IP-to-geolocation services incorrectly pinpointing me as being in another country, and placing me at three different remote locations just in the course of the last year. Not even country-level accuracy is reliable enough to use for authentication purposes when the customer is expected to be able to roam with their devices. If you still want to use location as a factor; either depend on the HTML Geolocation API for more accurate location data, or set continent based geographical restriction policies instead of country-level policies based on IP addresses.

IPv6 currently accounts for roughly 12 % of global internet traffic and 29 % in the United States, according to Google.