What's crazy to me is that Google would allow access to a foreign device from a single click. It would be easy for a person to accidentally click it, or for a kid playing on their parents advice to click it when it popped up. I really can't understand why they wouldn't send a code that would have to be entered instead; it would be far less prone to those kinds of problems.
"foreign device" based on IP geolocation is pretty tricky and annoying.
My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.
As a person who had to deal with clients, I have found whitelisting to only "US address space" lead to lots of clients being unable to access the services until they were whitelisted.
As a person who had to deal with other associates, I also found whitelisting only US address space led to a number of people being unable to connect from their homes.
As a person who had this happen to them, I had quite a lot of frustrations with services insisting they couldn't provide me service because Texas is in Canada apparently.
of course before implementing this I log all IPs and verify that we don't have any legitimate traffic coming from non-US IPs. and whitelisting a few IPs isn't a big deal. Of course a medium sized manufacturing company in the Midwest isn't going to have much need for people connecting to use outside the US.
I'm actually working to get rid of any public IPs that isn't a VPN access point.
If it's not actually reaching you to log in and what not, how do you know it's legit or not?
How do you know it's US traffic or not in the end?
I'm not saying it's not something anyone can reasonably do, but I've both been the gatekeeper required to implement/support such a policy and been someone burned by it. It shouldn't be assumed the block lists are actually that good.
> My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal.
J'ai dû apprendre le français parce que les bases de données géo-IP sont des déchets.
So many sites defaulted to French due to shit geo-ip databases. So many account lockouts because of fears credentials got hijacked due to shit geo-ip databases. So many "sorry this isn't available in your country" messages because of shit geo-ip databases. So many stores defaulting to Canadian dollars because of shit geo-ip databases.
How would a code help? The victim has already bought into the social engineering. If the person on the phone asks the user to read out a code, they will. If the person on the phone asks them to enter a code (i.e. the version of this kind of prompt where the user needs to enter a code on the phone matching the one showing on the login page), they will.
Every step you make someone who is being socially engineered jumo through, is an extra chance for them to realize what is happening, especially if those steps contain warnings.
