In addition to standard form authentication, IP address has been added as the security factor. Means change of IP address drops user session.
Personally I think this is overhelmed solution and does not provide real value. Also something tells me that possible situations when IP address could be changed legally.
Need to mention, that we do not have “remember me” check box and we just consumer, e-commers application.
So questions:
- Does IP could be security factor?
- Is there something that could change IP address during surfing (proxies, anonimazers, speed-boosters)?
You should not rely on the IP address for authentication, not even for enhanced authentication.
There are a lot of scenarios where an IP address changes during surfing, you mentioned some. Others include: Switch to a VPN, restart of router, reset of connection by the ISP.