IP Verification for Teams

IP Verification is security feature for Teams that adds protection against unauthorized connections to your Team Computers.

We strongly recommend that you leave this setting enabled, but you may opt out of this feature on the security settings page.

How it works

When a user logs in to Parsec, either with their email and password or via SSO, they receive a session token that is stored securely on their computer. Our servers monitor how this session is used when accessing our HTTP and WebSocket APIs. If we detect that a session is used from an IP address that has not previously been recorded for that user's account, we block the API request or connection attempt and prompt the user to verify the new IP address by re-authenticating their account.

Once an IP is verified on a user's account, Parsec will trust it for 90 days before asking for verification again.

What IP Verification protects against

Even though the session token is stored securely on a user's computer, it's possible that via phishing attacks, malicious local software, or physical theft that the session token could be stolen and used to connect to your Parsec Team. IP Verification helps prevent this by verifying each IP address for a user.

To start, we will enforce IP verification on the following user actions:

  • Connecting to a Team Computer
  • Adding a friend

As we gather more data on its usage we will enable IP verification on a wider basis.

Example

  1. User Valerie logs in to Parsec from IP address 1.2.3.4. Since this is an authenticating API request, our servers record "1.2.3.4" as a valid IP address for Valerie's account.
  2. Malicious software on Valerie's computer steals the session token.
  3. The attacker  attempts to use the session token to connect to a Team Computer from their own network, on IP address "6.7.8.9".
  4. Parsec does not recognize the new IP address "6.7.8.9" on Valerie's account, and blocks the connection attempt. The app prompts the user to re-authenticate the session, and the attacker will not be able to connect without also knowing the user's password or SSO login.