Email notification for all new logins
Problem to solve
Without requiring multi-factor authentication for accounts, user accounts without MFA configured are susceptible to cred stuffing and brute force attacks. We can improve response to incidents and encourage MFA use through automated email alerts whenever a successful login occurs.
Target audience
This is really for all users, but using Sam as the requester of this feature.
- Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
Proposal
Suggested text:
Dear <user>
A new login to your account has been made from <IP>. If you recently logged in and recognize the logged in location, you may disregard this email.
If you did not recently log in, you should immediately change your password: <link and instructions to password change>. Passwords should be unique and not used for any other sites or services.
<If no MFA enabled>
To further protect your account, consider configuring a multi-factor authentication method <link to 2fa instructions>.
Permissions and Security
The notification email should go to the email address configured as the user's notification email address.
Documentation
If these notifications are configurable per user or instance, that will need to be documented, but there is value in doing this for all logins as the MVC.
What does success look like, and how can we measure that?
The impact to accounts compromised due a leaked or stolen password is reduced, with less time elapsed before being reported by a user and increasing the effectiveness of support and security teams ability to investigate sooner.
Availability & Testing
What risks does this change pose to our availability?
This feature is low risk to GitLab.com's availability
How might it affect the quality of the product?
This will improve the product's security and therefore, its overall quality.
What additional test coverage or changes to tests will be needed?
Ensure that email is sent on:
- New login from a new IP address and a new client
Ensure that email is NOT sent on:
- New login from a previously used IP address and a previously used client
- New login from a previously used IP address but a new client
- New login from a new IP address but a previously used client
- New login from a previously used IP and device but a new client
- New impersonation session
Will it require cross-browser testing?
This will not be necessary as the core functionality being added in this issue is not FE heavy.
All tests can be covered at unit and feature level. No new end-to-end tests should be needed.