1402894 - Remove "Restrict this session to this IP" option from login page

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: General, task)

Description

[:Atoll]

My IP address changes constantly as I commonly use cellular connections to access BMO, and the origin IP depends in part upon things like "cell towers" and "carrier whims". Additionally, I dual-home from both IPv4 and IPv6 at home and many random wireless networks around the area, some of which are slow to provision IPv4 but have instant IPv6. This results in me being constantly locked out of Bugzilla because a property of my network layer changed.

So I request that y'all please uncheck the box by default.

Comment 1

[Mark Côté [:mcote]]

As I understand it, this provides a security benefit to many people.  I would hesitate to turn off the default unless it both fails to provide much security benefit to and inconveniences a large number of users.

Comment 2

[:Atoll]

I would accept "remember the state of this checkbox in my local browser's cookie store" in lieu of a change to the default, since that would result in the expected behavior (remember my preference for this preference) in each of the browsers I use.

Comment 3

[:Atoll]

I’m not expecting to see further activity on this request. Closing to save triage team the need to do so later.

Comment 4

[Dylan Hardison [:dylan] (he/him)]

we should uncheck this by default, and also hide it to mobile users at the least. I think it's still valuable for a population of users.

Comment 5

[Kohei Yoshino]

The “Restrict this session to this IP address” checkbox is only on the login page, and it doesn’t exist on the mini login widget on the global header. So I guess most people are _not_ using it anyway? Removing the checkbox shouldn’t be a problem then.

Comment 6

[:Atoll]

I would also accept "uncheck by default" as a cookie preference that isn't wiped at logout.

Comment 7

[Kohei Yoshino]

Also: 

* 2FA has been enabled as a security measure
* GitHub auth doesn’t enable the restriction, UUIC

Comment 8

[Ed Morley [:emorley]]

Is it possible to query what proportion of non-expired session users have limited to a single IP?

Comment 9

[Kohei Yoshino]

:dylan could answer that question.

Comment 10

[Dylan Hardison [:dylan] (he/him)]

Unrestricted: 3385
Restricted: 754

Comment 11

[Kohei Yoshino]

So, only 18% of currently logged-in users(?) are using the option? Then it’s safe to remove it.

Comment 12

[Kohei Yoshino]

This annoyed me today as I’m using my personal laptop both at home and in the office. Let’s move this forward.

Comment 13

[Kohei Yoshino]

Attachment: GitHub Pull Request

Comment 14

[Kohei Yoshino]

Basically, Bugzilla was designed in the pre-mobile and pre-laptop era. It assumed people were using a desktop workstation, even in the same office, according to a physical model attached to this HCI research conducted 10 years ago. We have to evolve to fit how people work, and we have to change how people work.

Comment 15

[Dave Miller [:justdave]]

(In reply to Dylan Hardison [:dylan] (he/him) from comment #10)

Unrestricted: 3385
Restricted: 754

This is pretty significant to me given that you have to uncheck the box to get Unrestricted, which means 82% of BMO's users are actively unchecking it when they log in.

Unless the lack of the checkbox on the mini login widget is treated as "don't restrict" and "restrict" is only forced on you on the full login page.... in which case, why is it even there? :-)

I'm among those who uncheck the box every time because I get logged out constantly if I don't.

Comment 16

[Kohei Yoshino]

I don’t have any data but guess most people use the header’s mini login widget and keep signed in. Also, “Sign-In with GitHub” doesn’t enable the restriction as mentioned earlier. I somehow used the sign-in page yesterday then forced to sign out once I got home.

Comment 17

[Kohei Yoshino]

Merged to master.