top | item 25565311

(no title)

dylz | 5 years ago

My non-invasive way for basic security - nothing sent to third parties at all; no blocking of VPNs other than the usual anti-bruteforce stuff:

- GeoIP server side; trigger MFA (email a confirmation code) if country mismatch. Anything less is too granular unless you have some good reason for it, people moved to cheaper places during the pandemic, mobile connections geo horribly wrong when NATed

- Drop a random unique cookie (long-lasting) on the client; if this cookie is not present and valid/signed prompt for MFA

- Give the user an opportunity to revoke all logged in sessions

discuss

onassar|5 years ago

Thanks; we use the long-lasting cookie approach for a few things as well. We haven't gotten to the revoking of logged in sessions. Do you give them the ability to view all login sessions a'la Gmail?