How do you handle suspicious logins?

Question

Have an app w/ a decent number of users (250k). I'm working on some login detection logic using IPs, user agents, etc to determine when a log in maybe be suspicious.If you've taken on this kind of project, would love to discuss what worked/didn't work. Don't want to reinvent the wheel.My approach will be to track logins by a combination of user agents, locations and timestamps, and then when a new login comes in, come up with a way to make a login threat level based on what's been seen before.If it's over a certain value, send off an email to the account owner to notify them.

dylz · Accepted Answer

My non-invasive way for basic security - nothing sent to third parties at all; no blocking of VPNs other than the usual anti-bruteforce stuff:
- GeoIP server side; trigger MFA (email a confirmation code) if country mismatch. Anything less is too granular unless you have some good reason for it, people moved to cheaper places during the pandemic, mobile connections geo horribly wrong when NATed
- Drop a random unique cookie (long-lasting) on the client; if this cookie is not present and valid/signed prompt for MFA
- Give the user an opportunity to revoke all logged in sessions

wakatime · Answer

https://wakatime.com/login uses https://developers.google.com/recaptcha/docs/v3 for this and it's worked well so far.

1cvmask · Answer

Getstencil looks real cool. Will check it out.