Description
FusionAuth Impossible Travel Detection should be smart based on wider geolocation (such as across state lines or country borders) just not IP that might change due to cell towers or ISP provided IP address.
Problem
We have noticed based on existing customer and friendly user's login sessions that even if it is the same user and they are on the same device which might be connected to their cellular network the cell tower might keep changing different IP addresses which may or may not match the user's physical location. Example - A user in Houston when logging in might have their IP address provided by AT&T to be of San Antonio and this does not mean the customer has in fact tried to use VPN or some other way to access their account maliciously. Similarly, many corporate offices often have client-side proxy networks that will scramble the user's real IP address and/or based on VPN networks might provide an IP address from another USA state.
Solution
We would want the New Device Detection/Suspicious Login Detection that currently heavily works based on the IP addresses and the location of the IP location which could be a city scope to be able to smartly detect and notify based on real abuse and not create false positives.
Suggestion: Define customized levels of Threat Detection Mechanism that could then let the customers choose what level of threat detection would make sense based on their customers demographics, e.g. for some customers it might really make sense to detect impossible travel only when their customers are logging in short amount of time from totally different country vs flagging login from different states in the same country.
Alternatives/workarounds
A remember this device checkbox or something more concrete mechanism that ties the new device or suspicious login is devised that does not store the IP address in the new device login cookie client side and is calculated server side. Example: I am the same customer, and I am on my mobile device, so does not matter if my cell tower is switching IP address or I am connected to my home network or to my work network which gives different IP address, I should be able to cut down on the false positives so long as I can tie the login to the unique device/browser combination.
Additional context
Example of recent logins detected by a customer in Houston area where their ISP/Ccell Provider is providing IP addresses of Dallas or Houston since most ISP don't have static IP.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.