Website More than one verified IP / Client for login

[Huchini]

Hello,

First of all, congrats on the great job you guys are doing in this community. Been here for a little over 3 weeks and I am loving it.

My suggestion might just fix a very niche problem, but I might as well try. Your 2FA pops up every time I login from a different device. I myself have a long lunch break and I'm constantly switching between my PC at home and my Laptop. The website only remembers the last client I used my 2FA code last, so I'm constantly having to relog and wait for the E-Mail, at least every time I'm trying to switch computers.

Is this something that has already been looked at before, or would it be possible to safe an IP / Client as "secure" once you have authenticated through 2FA?

Would love to hear from you, cheers!
Khazu

[IcarNS]

I started using a VPN on the same server, so now I don't get a 2FA anymore, anywhere I am.
This is convenient, but it's also a security flaw, since anyone that uses the same VPN can bypass this security measure if they get my password. Overall, IP-based 2FA is a bad idea. It should be using JWTs and localStorage, and always ask for the 2FA code on the game client (ideally the client would save the session for some time, like launchers do).

[Blkunxpd]

. .

[IcarNS]

You are right, website login is weird, sometimes it doesn't ask, sometimes it does...
But I'm sure about the client behaviour. It doesn't ask for the 2FA code if I login on the same IP (yes, the VPN server has an static IP).

[Blkunxpd]

. .

[IcarNS]

The server could always respond with 2FA needed, though. I think that would be sensible security-wise, but it would also be a lesser QoL.

[Blkunxpd]

. .