Option to turn off Login Notifications at user level.

[panzerscope]

Hello all, 

So this has already been bought up in different conversations as per the below links: 

https://invisioncommunity.com/forums/topic/452364-users-be-able-to-turn-off-new-device-notifications/ 
https://invisioncommunity.com/forums/topic/443405-choice-to-opt-out-of-new-device-login-emails/ 

I have to echo the feature request for this as per other members here. My forum is a tech community and while not only privacy conscious meaning they clean cookies and cache (Logging them out) and they are also sometimes using the site from multiple machines and upon logging in, keep getting login notifications which is irritating them.

So far as I know the ability to turn off Login Notifications via Email is GLOBAL. I, like others would like to see this become a user level option so users have the option of turning Login Notifications on or off as they see fit. 

I can see that it was at some point raised internally but it looks like nothing has happened since. Could we please get this implemented ?

 

Thanks,
P

[Morrigan]

If these were turned offable by my bank I'd never know if someone was stealing my information. While it doesn't seem important in general it is since IPS has the ability to store information from an end user.

[CoffeeCake]

It would also be nice to enforce by member group.

[Charles]

I would personally be wary to implement this. It is a security feature. I get those sorts of emails all the time from various sites I login to. Yes, they can be redundant but I would rather know the check is happening than not.

[Jordan Miller]

I'm a bit wary about this too in all honesty. Someone may turn it off, forget about it, then in 6 months time something goes down behind-the-scenes with their account somehow and they aren't alerted to the fact. If there was some other security measure in place to supplement the login feature being turned off I'd be more inclined 😇 

[Matt]

I get these constantly from multiple services I use. I find some comfort in them. I do not think it's a good idea to weaken this feature.

[panzerscope]

I personally disagree, I think users should be able to disable this under the premise that their account has 2FA enabled. While I understand the argument for forcing it on globally, I would suspect that having an account with 2FA would still render the account rather secure even with login notifications disabled.

[CoffeeCake]

This is a depends situation, and will vary by community.

I want anyone with elevated permissions (moderators, etc.) to get these alerts, but we had resounding feedback from our general members to turn this off. We turned it off because it was all or nothing.

Administrator should be able to say:

• "We talk about sensitive topics here, where access to anyone's account would be bad. This is a requirement here for everyone."
• "We have lots of security conscious people here, so this should be the default for everyone, but recognize that some people will browse from a different place every time, or a private browser and be spammed every time they log in by this message, so let's give them the option to turn it off."
• "We have certain usergroups that require a different setting on this. For Member group A, forcing this on and/or making this the default makes more sense. For member group B, turn this off completely, for Member group C, give them the choice and set it to off by default"
• "This makes no sense for anyone here. Turn this off globally."

This should have the same configurability as two-factor authentication.

And.... sometimes the e-mail is too much. Give the configuration option (matching granularity above) to use notifications (or something like an announcement header) for this instead.

"Welcome back, Matt. Someone has logged into a new device since your last login. Click here to see device logins associated with your account."

[Colonel_mortis]

I had a few complaints about it from my members too, and I ended up fixing it by changing the logic for sending a new notification to not send it if it's from an IP that they have used previously (except moderators and admins, which I retain the old behaviour). Since making that change, I haven't had any complaints from members.

		if ( \IPS\Settings::i()->new_device_email && ($member->isAdmin() || $member->modPermission() ||
				\IPS\Db::i()->select('count(*)', 'core_members_known_ip_addresses',
					['member_id=? AND ip_address=?', $member->member_id, \IPS\Request::i()->ipAddress()]
				)->first() === 0) )