IP address as additional security factor for authentication

Question

In addition to standard form authentication, IP address has been added as the security factor. Means change of IP address drops user session.

Personally I think this is overhelmed solution and does not provide real value. Also something tells me that possible situations when IP address could be changed legally.

Need to mention, that we do not have "remember me" check box and we just consumer, e-commers application.

So questions:

1. Does IP could be security factor?
2. Is there something that could change IP address during surfing (proxies, anonimazers, speed-boosters)?

Answer 1

You should not rely on the IP address for authentication, not even for enhanced authentication.

There are a lot of scenarios where an IP address changes during surfing, you mentioned some. Others include: Switch to a VPN, restart of router, reset of connection by the ISP.

Answer 2

The first time I ran into this problem was many years ago, due to AOL users. With the AOL software at the time, browser requests would go through AOL's proxy farm and could come from a different IP address on every request. Certainly the same thing can happen today, for many reasons. Your web app must not rely on the IP address being constant. Use cookies instead.

Answer 3

Not only are there legitimate ways for an IP to change, but there are illegitimate ways for a sophisticated user to spoof someone's IP whose info they were trying to steal.

So this approach can inconvenience real users and provide more tools for the bad guys.