This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Report suspicious login attempts #4556
Labels
T-Enhancement
New features, changes in functionality, improvements in performance, or user-facing enhancements.
z-feature
(Deprecated Label)
z-p2
(Deprecated Label)
Comments
Half-Shot
changed the title
Half-Shot
changed the title
|
In the same spirit we should also look to things like TOTP |
100% yes! |
|
Full webauthn support with email reporting of suspicious activity would be preferred. Relevant to: #2460 |
MadLittleMods
added
the
T-Enhancement
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description: Most services seem to implement this to alert users to break-ins. We should consider at least support sending a notification and optionally locking the account until verified through email or another medium.
It's not a major problem if people don't re-use passwords, but it happens.
To break this down further, I'd like to propose having different levels of security ranging from just checking if the user has signed in from a different region, to checking if the users IP address has changed. This would be useful for people who want a paranoid mode.
In terms of spec, this would require the concept of an account being "locked" as well as an
account_datatype which could store the security level required to trigger a lock. I've mentioned it in synapse first because a server-level alert only (not locking the account) config option would require no spec changes.The text was updated successfully, but these errors were encountered: