I'm interested in implementing a feature on my web application that warns users when a suspicious log in has occurred since their last visit.
My kneejerk reaction was to use the client's IP address, but after doing my research it seems like this is a terrible idea. Dynamic allocation and NAT suggest that this is not reliable.
My second thought was to use a geolocation service. But the ones I could find were either IP-based or outside of my price-range.
My third thought was to implement something like Facebook's "Register this device" prompt, but I'm unsure how this works in a reliable way.
Does anyone have any ideas on how I could identify a device or location with a reasonable level of confidence?
It depends on your business rules. You could score it based on several factors.
etc.
Then you could setup rules that say:
I would always show them the last date and IP of login like gmail does. Gmail also has a login history you can view.
Edit: This is a really old answer that still gets some views. Today I'd probably recommend a 2FA solution. What is two-factor authentication?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With