What's are some reliable ways to identify suspicious logins?

Question

I'm interested in implementing a feature on my web application that warns users when a suspicious log in has occurred since their last visit.

My kneejerk reaction was to use the client's IP address, but after doing my research it seems like this is a terrible idea. Dynamic allocation and NAT suggest that this is not reliable.

My second thought was to use a geolocation service. But the ones I could find were either IP-based or outside of my price-range.

My third thought was to implement something like Facebook's "Register this device" prompt, but I'm unsure how this works in a reliable way.

Does anyone have any ideas on how I could identify a device or location with a reasonable level of confidence?

Answer 1

It depends on your business rules. You could score it based on several factors.

1. Not the same IP: +5
2. Not the same subnet: +10
3. Not the same Country: +100
4. 3 or more attempts before success: +50
5. 2 or more logins at the same time: +50
6. Different browser than last time: +5

etc.

Then you could setup rules that say:

1. 0-20: Tell the user on their next successful login.
2. 21-50: Start making them wait 5 minutes between logins.
3. 51-100: Lock the account and force them to unlock it via email confirmation.

I would always show them the last date and IP of login like gmail does. Gmail also has a login history you can view.

Edit: This is a really old answer that still gets some views. Today I'd probably recommend a 2FA solution. What is two-factor authentication?