> As you have recognized the fact that country level data is good for security [...]
That's the opposite of what I said. I think blocking entire countries is largely security theater. Bad actors will just use botnets or other residential proxies wherever needed, while legitimate users traveling abroad get locked out.
I can see it make sense for login-free distribution of media with limited regional rights (e.g., some public broadcasters offer their streams for free but are only allowed to do so domestically), or to provide a best guess for region-specific services (weather forecasts, shipping rate estimates etc.), although I'd also love to see that handled via the user agent instead, e.g. via granting coarse location access, to prevent false positives.
I also wouldn't mind it as much as one of many input signals into some risk calculation, e.g. for throttling password (but not passkey) attempts, to be overridden by login status, but outright bans are incredibly annoying, and unfortunately that's what I see many companies doing with GeoIP data.
Almost as annoying: Companies insisting on serving me a different language just because I traveled abroad, even though my "Accept-Language" header is right there.
That's the opposite of what I said. I think blocking entire countries is largely security theater. Bad actors will just use botnets or other residential proxies wherever needed, while legitimate users traveling abroad get locked out.
I can see it make sense for login-free distribution of media with limited regional rights (e.g., some public broadcasters offer their streams for free but are only allowed to do so domestically), or to provide a best guess for region-specific services (weather forecasts, shipping rate estimates etc.), although I'd also love to see that handled via the user agent instead, e.g. via granting coarse location access, to prevent false positives.
I also wouldn't mind it as much as one of many input signals into some risk calculation, e.g. for throttling password (but not passkey) attempts, to be overridden by login status, but outright bans are incredibly annoying, and unfortunately that's what I see many companies doing with GeoIP data.
Almost as annoying: Companies insisting on serving me a different language just because I traveled abroad, even though my "Accept-Language" header is right there.