Email notification for all new logins

Problem to solve

Without requiring multi-factor authentication for accounts, user accounts without MFA configured are susceptible to cred stuffing and brute force attacks. We can improve response to incidents and encourage MFA use through automated email alerts whenever a successful login occurs.

Target audience

This is really for all users, but using Sam as the requester of this feature.

• Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst

Proposal

Suggested text:

Dear <user>

A new login to your account has been made from <IP>.  If you recently logged in and recognize the logged in location, you may disregard this email.  

If you did not recently log in, you should immediately change your password: <link and instructions to password change>.  Passwords should be unique and not used for any other sites or services.

<If no MFA enabled>
To further protect your account, consider configuring a multi-factor authentication method <link to 2fa instructions>.

Permissions and Security

The notification email should go to the email address configured as the user's notification email address.

Documentation

If these notifications are configurable per user or instance, that will need to be documented, but there is value in doing this for all logins as the MVC.

What does success look like, and how can we measure that?

The impact to accounts compromised due a leaked or stolen password is reduced, with less time spent by the support and security teams investigating and triaging reported issues.

Links / references