Ask HN: How do you handle suspicious logins?

5 points by onassar ↗ HN
Have an app w/ a decent number of users (250k). I'm working on some login detection logic using IPs, user agents, etc to determine when a log in maybe be suspicious.

If you've taken on this kind of project, would love to discuss what worked/didn't work. Don't want to reinvent the wheel.

My approach will be to track logins by a combination of user agents, locations and timestamps, and then when a new login comes in, come up with a way to make a login threat level based on what's been seen before.

If it's over a certain value, send off an email to the account owner to notify them.

7 comments

[ 2.6 ms ] story [ 29.7 ms ] thread
My non-invasive way for basic security - nothing sent to third parties at all; no blocking of VPNs other than the usual anti-bruteforce stuff:

- GeoIP server side; trigger MFA (email a confirmation code) if country mismatch. Anything less is too granular unless you have some good reason for it, people moved to cheaper places during the pandemic, mobile connections geo horribly wrong when NATed

- Drop a random unique cookie (long-lasting) on the client; if this cookie is not present and valid/signed prompt for MFA

- Give the user an opportunity to revoke all logged in sessions

Thanks; we use the long-lasting cookie approach for a few things as well. We haven't gotten to the revoking of logged in sessions. Do you give them the ability to view all login sessions a'la Gmail?
Getstencil looks real cool. Will check it out.
:)
By the way you can check out SAASPASS if you want to implement passwordless MFA at some point.