I’m currently traveling internationally and many of the apps and websites I use regularly have recognized that my IP address means I’m not where I usually am and so have prompted me to log in again or triggered “security alert” emails to be sent.

In my opinion, the “worst offender” was the app that logged me out and forced me to log in again (2FA when traveling can be more frustrating than normal) even though all I wanted to do was use the app to view some data. I wasn’t creating or even acting upon anything. I was just viewing existing data stored in the app.
This felt like an unnecessary overreaction. If I was going to create something new and public (or even “like”, save, or bookmark an item) then getting me to re-auth would have been acceptable. Kicking me out as I’d never used the app before seems unnecessary.

What are the lessons?

  • Ask: are we being reasonable about assessing security risks?
  • Ask: are prompts for re-authorization appropriate to the actions being taken?
  • Ask: are we making design decisions based on what’s best/preferable for the person using the software or for the purity of the data we capture about them?