Thinking about my own usage patterns, when I'm working from home my laptop is VPNed to somewhere reasonably close lag-wise, but certainly not within 50 miles of my house. Meanwhile my phone is studiously checking my inbox using either the local cell tower or my home WiFi.<p>So if I go look at my personal access logs, I see myself flitting back and forth across the country constantly. I wonder how they plan to filter out these incredibly common false positives without also clobbering detection of thoroughly-owned (consistently-flitting) accounts.
So if I'm browsing your site from a VPN, you'll block me because of a datacenter IP. Then when I turn off my VPN to make your site work, you'll block me because I traveled too fast to my new location.
> We decided that "reasonable" was roughly the speed of sound.<p>I wonder whether they'll remember to bump this up once commercial flights on the Boom Overture start.
If they're not checking if it's the same device (or if it's a new device) that's connecting from the new IP, they're not really helping that much. Again, this is where client-based auth (preventative) is better than a spotty, reactive, response.