Ask HN: How do you handle suspicious logins?
7 comments
My non-invasive way for basic security - nothing sent to third parties at all; no blocking of VPNs other than the usual anti-bruteforce stuff:
- GeoIP server side; trigger MFA (email a confirmation code) if country mismatch. Anything less is too granular unless you have some good reason for it, people moved to cheaper places during the pandemic, mobile connections geo horribly wrong when NATed
- Drop a random unique cookie (long-lasting) on the client; if this cookie is not present and valid/signed prompt for MFA
- Give the user an opportunity to revoke all logged in sessions
- GeoIP server side; trigger MFA (email a confirmation code) if country mismatch. Anything less is too granular unless you have some good reason for it, people moved to cheaper places during the pandemic, mobile connections geo horribly wrong when NATed
- Drop a random unique cookie (long-lasting) on the client; if this cookie is not present and valid/signed prompt for MFA
- Give the user an opportunity to revoke all logged in sessions
Thanks; we use the long-lasting cookie approach for a few things as well. We haven't gotten to the revoking of logged in sessions. Do you give them the ability to view all login sessions a'la Gmail?
https://wakatime.com/login uses https://developers.google.com/recaptcha/docs/v3 for this and it's worked well so far.
Okay cool thanks!
If you've taken on this kind of project, would love to discuss what worked/didn't work. Don't want to reinvent the wheel.
My approach will be to track logins by a combination of user agents, locations and timestamps, and then when a new login comes in, come up with a way to make a login threat level based on what's been seen before.
If it's over a certain value, send off an email to the account owner to notify them.