Session and Login Management

[SaySayTakamura]

Is your feature request related to a problem? Please describe.

Something i feel about the current state of the Bluesky App/Site is that by knowing someone password, PUFF, you are in.

I saw an issue about 2FA and sincerely, this is great to see, but still while not implemented, the user should be warned about login/sessions actives on their account.

Describe the solution you'd like

We have 2 solutions that are pretty common:

1 - Whenever the user logs, send an email to them, warning that their account have been accessed with informations like:

• IP ADDRESS
• DEVICE
• COUNTRY/STATE
• HOUR

I've saw sites like Amazon/Steam/Github and Discord do this approach.

2 - One tab on settings session showing an User's active sessions, showing the same data as the first one (IP, HOUR and such), this session could allow the user to Revoke any suspicious sessions listed.

I've saw Discord and Twitter use this one.

Describe alternatives you've considered

Aside of the ones mentioned above i couldn't think of additional alternatives.

[pfrazee]

This is actually a decent idea, gonna bounce to the backend repo for discussion

[bnewbold]

What you are describing would be a feature of PDS instances (which control user authentication and accounts), and any PDS implementations could add these basic security features already today. I've moved this over to a protocol-level discussion though, because I think it's the sort of thing we'd probably want to encourage every PDS implementation to consider supporting.

I think this is definitely a reasonable security improvement. Some thought probably needs to go in to which situations a notice gets sent, and what the total volume of emails going out would be (eg, do we need to use a special service to do this? will it result in important emails going to spam?), and whether this is enabled by default. I think many of the services you mentioned have some kind of detection of "novel" or "suspicious" logins and only send the email in those situations. There is also a bit of a private consideration, as this creates both a papertrail and a metadata amplification around core account activities. By "metadata amplification" I mean that somebody observing email traffic could correlated a login to a specific email recipient.

IIRC we do send out email alerts in a couple specific situations already, like when somebody requests to delete their account. Another situation we should probably send an email, but don't have a mechanism to enforce today, is a notice when did:plc information about an account changes unexpectedly (aka, when the DID document changes and the user didn't initiate the change).

[SaySayTakamura]

"Which situations a notice gets sent" - One important thing to notice is that Google, sends an email most of the time i login, in all my accounts.

Don't know if "Don't ask again on this Computer" solves this, if does, an similar implementation on BSs would be nice.

It can go two ways:

1 - Checking if there's any cookies for BSs already on the machine, if there is, then does not send an email, if not, send an email.

2 - If the user toggle the "Remember me on this machine" does not send any email at all, unless they logout and login again (famous, shutdown and restart)(it can happen if user deletes cookies, which triggers Item Nº1 anyway)

3(Optional) - Create an "instance" of session (On the "Sessions" Tab) everytime the IP Address change, updating as well all its data (Location, Hour and such), this would not send an email at all unless Items Nº1 or 2 triggers.

Note: This last one i see much on Steam and Twitter (on this one is less than Steam)

Sorry if anything from this don't make sense, i don't know anything about network or web programming (assuming JS or any relative) much less about Web Security.

I am just.... cautious... maybe a bit paranoid..... totally paranoid.

[SaySayTakamura]

Latest release added Email Code 2FA.

Glad to see some sort of 2FA implemented, a good step towards account security.