I find authentication the least problematic place where risk based on ip is used. Etsy, for example, will suspend your seller account if it sees too many logins from different IPs or if it's from an IP it has flagged before. It also has terrible seller customer service so it could take weeks to get it un-suspended. Heard of some people using Private Relay getting hit by this during the beta so hopefully Etsy gets rid of that system.
> As of writing this blog I was in Switzerland and the IP used to egress my traffic was in a region located in the US. If this also tends to change a lot and fast you can basically throw away IP addresses as data of your RIBA.<p>Wait, so my data will be routed to US servers, as an EU resident, where the data protection laws are not as strong as where I live? This is a really bad idea, as US is known to tap any data they can get on their soil.
I hadn't known there was a term for this braindead idea that websites should hassle you based on your IP address. Of course there has to be a term, compartmentalization is necessary for getting good people to do bad things.<p>It's fantastic that Apple is continuing to mitigate commercial surveillance. It's easy to discriminate against us lone individuals who hide our IP addresses, but Apple's market is too big to reject. If they're successful here, I'll have to consider buying a Mac purely for their VPN service.<p>Perhaps they'll take on CAPTCHAs next.
When Google Workplace locks users because of this, and I’m fairly sure they will because they’re super aggressive with IPs that change via VPN, they'll bounce incoming mail for that user.<p>Have fun everyone!
Thank you. Can someone please break security questions next so I don’t have to store four passwords instead of one to login to my accounts?<p>Please kill opt-out-less 2FA while you’re at it. (Thanks Amazon, been enjoying that change!)
Did it actually break risk based authentication though? Sure, legitimate users will be using Apple's Relay, but what's stopping attackers from using it? If the users of the service are choosing to be indistinguishable from attackers, then that's on them.<p>I think of it like reputation in real life. If you come knocking on my door, and I can see and recognize you, I'll open it. If you cover up my peephole or hide yourself so that I can't recognize you, why would I even let you know I'm home? Even if you tell me who you are, shouldn't I be worried that someone is impersonating you?<p>At the very least I'd expect users from anonymizing IPs to have to jump through some extra hoops like captcha and 2FA.
I thought Private Relay will not change the geo-region of users (e.g., proxy to IPs of the same country) in order to let online streaming companies (e.g,. Netflix) happy. This is different from what said in this post. Is it no longer the case or never the case?
“Welcome back! Hey looks like you are using a new device, how about we just ignore that greeting and use this other separate login process every fucking session”
Great. RIBA is a really poor method that causes a lot of false positives for expats like myself. I'm really happy that more people will suffer this digital discrimination because it will mean it will go away.<p>I live in Spain, I'm from the Netherlands and have lived in Ireland as well, leading to tons of "soft block" nightmares.
"But please stop relying on RIBA for the plain authentication of a user!"<p>Well I'm not sure everyone will be happy to do that. Tying session tokens to source IP addresses is usually not a bad practice and is rarely the only mitigation used.
Just occurred to me that Apple’s upcoming iCloud Private Relay will break nearly all GDPR solutions. Am guessing this has been written up already be someone. Any good perspectives?