Some time ago, I wrote a post that announced the availability of the account activity history page (which I will call for short "activity page"). Today I want to discuss the use of the activity page in relation to the notification messages we send for security challenges issued by our compromise detection algorithms.
Security challenges are actually triggered in two situations:
- when we regularly require a second factor for authentication (as in the case of accessing the activity page itself or when having two factor authentication enabled on an account)
- when our compromise detection algorithms trigger such a challenge.
There is no notification sent in the first scenario (because there is nothing unexpected about the challenge), but in the second case we always send notifications to the communication channels associated with the account. Also note that security challenges can only happen for accounts that are associated with a phone number or another email address, otherwise there is no way of solving them.
The notifications we send let the account owner know what is going on with their account and direct them to the activity page for confirming or denying the legitimacy of the authentication attempts that received the security challenge. The account owner can then use the "This was me" button to confirm the legitimacy of the authentication or they can select "This wasn't me" to indicate that the attempt to authenticate was not theirs. If the authentication attempt was not legitimate, it means that whoever made it knew the correct password for the account, so when the account owner selects "This wasn't me", we will ask them to first change their password and then to verify the integrity of the security information associated with the account.
There is one special case: for some non-interactive interfaces or older devices, we cannot actually issue security challenges at all (there is no user interface for solving them). If two factor authentication is enabled for the account, an app password would have to be used in such scenario (learn how to generate one here). Otherwise we will simply block the authentication request and, in the case of compromise detection, we will also send notification messages.
So if you ever receive a notification message mentioning unusual activity and asking you to visit the activity page, our compromise detection algorithms are the reason for that.
Some takeaways that may come in handy:
- Not all security challenges are due to unusual activity. You should only be concerned about those for which you also receive a notification. (I will also look into having the activity page description updated to reflect this)
- If you have some problem with connecting from some old device, check your email for a notification and then use the "This was me" option on the activity page to unblock that device.
- Keep in mind that if you connect from a mobile device, your service provider may occasionally redirect you through a different network and this may trigger notifications of unusual activity. Marking the device as familiar would eliminate this issue (this is an option given during the security challenge).
- If you are sure that the challenged authentication was not initiated by you, then use "This wasn't me" to indicate that. The drawback to selecting this option unnecessarily is that you will have to change your password.