Hi All.
There are many customers experiencing issues login to EON using their website or app https://www.google.com/search?q=eon+next+login+problem. Myself included. That creates a very frustrating experience. Support is often useless blaming password managers, VPNs, firewalls, routers, broadband providers etc.
This is my attempt to write “a useful post”. I am not eON employee, I have no access to their infrastructure or code, this is my assumptions from what I see as an outsider, and it might be a bit technical.
Ok, what issues might cause you being unable to login.
Before we start, I would blame router or broadband provider the last, there is almost nothing can be on your router/firewall/broadband provider which can cause issues with login to eON, but leave the rest of the Internet functioning. Only if you deliberately banned access to eON kraken API, which 100% of users do not do.
Problem number 1.
This is the problem when it can take several attempts to login. The cause is Kraken API returns “There were too many requests. Please try again later.” error on login requests. Even this situation is normal for APIs to throttle the amount of requests to prevent overloading the servers. The issue is in the way eON has implemented it. Those limits are enforced additionally against passwords brut force. eOn decided to implement limit based on IP address of the user and not user login. It won’t be an issue if you have a "dedicated/static/public" IP address, but if you are behind CGNAT or in mobile network you will share IP with thousands of other customers. CGNAT is normal technology and 99.9% of people doesn’t need public IP. I am a computer "geek" and even have a server rack at home, and do not need it. So you share the same IP, and a couple of attempts from other users on the same IP will block access for you also for a period of time.
A few words on CGNAT. eON API is IPv4 only, the number of IPv4 addresses is limited and the world “run out” of them in 2019 so they become expensive as a limited commodity. IPv4 addresses “hoarders” now selling them for higher price. As I mentioned, as most of the users even do not need public IPv4 address, smaller broadband providers or even big are moving to CGNAT technology which allows sharing one publicly rotatable IP between many users and sell “static” IP as a feature for whom really need it. CGNAT is similar to what your router does for your home devices, but on broadband provider level. This is not a reason to blame your broadband provider for, it is absolutely normal (and from my point of view is even better than dual stack in terms of future if IPv6 is also provided). The situation might’ve been better if eON switched on support for IPv6, but they didn’t.
What you can do in this situation. Short answer nothing, if you are affected by this you have to live with it. Unless eOn tech team decided to learn a bit about technologies and how to implement “rate limit” in modern world, there is not much hope. Resetting your router, screaming at your broadband provider won’t be useful, you just have to wait until the timeout for throttling pass to be able to login to eON website.
Problem number 2.
This is what eON calls “VPN detection”. Technically, there is no “VPN detection” on the endpoint website. You can detect VPN if you listen the traffic between user and VPN server, but you can’t detect anything if you are on the website endpoint end. I also would like to say, VPNs are not bad, VPNs are essential, and you should always use VPN when you are using open networks, like airports, restaurants, hotels etc.
What happens in reality. eON is using AWS to host their services, and is using Amazon Load Balancer (ALB) as an entrypoint for their API, ALB is used only for API access, the website itself is hosted through AWS Cloudfront, this is why you can load the website, but any request to API, for example to login or receive data will be blocked, and the same for the mobile application. In this case this is not Kraken platform as the request is blocked before reaching the platform. In short, what is happening is eON switched on WAF filtering with some lists of IP addresses which suppose to be blocked from API access. AWS provides some of those lists, or you can pay to use 3rd party ones. I want to highlight, this is not the list of all IPs used by VPNs, or hosting providers, AWS doesn’t disclose the source of the data and the amount of IPs included to the lists by mistake is massive, and often a reason for complaints on aws forums from providers and companies themselves, with 0 result.
So your IP can be part of the list because you just got an “unlucky IP”, was the previous user of the IP shady? Included as a block of addresses, for some other reason? Will be unknown. Sometimes broadband providers do host a couple of websites in their IP ranges and that will trigger for the whole of their range to be added. Does it protect from attacks? No, as it is easier hiring a botnet than perform anything through a VPN. Why eON switched that on if it doesn’t protect from anything, but adds a lot of headache for support staff, remains unknown, I would say not enough competence in cybersecurity, but they might have a reason behind it, none of my banks are introducing such limits, but the energy company did, so you can make your own conclusions. Just think how you can access the phone support, where you just need to know the name and the address of the person to pass “authentication”. Why I am talking about “competence” in cybersecurity, you can have a look at their password requirements, and compare with NCSC recommendations from 10 years ago. So after 20 years of research and the slowest moving bodies have updated their recommendations, eON has implemented passwords in the way to lower your protection, as well as blaming password managers for the problems with the website instead of encouraging their use. So any statement of “high security settings” is not the real situation here.
What you can do about it? Depends on technology of your broadband provider, you might be lucky to get new IP if you reboot your router, if not, nothing your provider can do, they have no influence on AWS to include/exclude IPs from the list, and they can’t change their whole technology stack because of eON. If you are technical enough, you can spin up a VPN on AWS (because it is not blocked by filters) and access eON website through it. Yes, use VPN to avoid “VPN detection”. If neither of this is your option, there is no solution for you. There is an option in WAF to “whitelist” the IP, but doubt eON tech team will do that. And if you are a naughty boy like me, my assumption that they can “blacklist” your IP to “prevent” system access without actually banning my account completely, which would be illegal, and they will keep repeating “VPN was detected”.
Sorry for the long read, but I hope that might save you time talking with the support and clarify the real issues behind the problem so you do not put your firewall in unsecure state, reset your router, or try for hours explain level 1 support of your provider things that they won’t be able to do anything with. I also hope that the post won’t be removed as “unhelpful”.
Thanks PS.
