Engage the User

Indicate the source and time of the last successful login. Of these two values, time is likely the more useful piece of information to a user. Very few people know the IP addresses that would be recorded from accessing the site at work, at an Internet café, at home, or from a hotel room. Time is much easier to remember and distinguish. Providing this information does not prevent a compromise of the account, but it can give observant users the information necessary to determine whether unauthorized access has occurred.

Possibly indicate whether a certain number of invalid attempts have been made against the user's account. Approach this with caution because it is counterproductive to alarm users about attacks that the site continually receives. Attackers may also be probing accounts for weak passwords. Telling users that attackers are trying to guess passwords can generate support requests and undue concern if the site operators have countermeasures in place that are actively monitoring and blocking attacks after they reach a certain threshold. Once again, we bring up the familiar balance between usability and security for this point.

Reinforce Security Boundaries

Require users to reauthenticate for actions deemed highly sensitive. This may also protect the site from some CSRF attacks by preventing requests from being made without user interaction. Some examples of a sensitive action are as follows:

• Changing account information, especially primary contact methods such as an e-mail address or phone number
• Changing the password; the user should prove knowledge of the current password to create a new one
• Initiating a wire transfer
• Making a transaction above a certain amount
• Performing any action after a long period of inactivity