Implement device cookies
A device cookie is a long lived token that is saved in the user’s browser after the first login from that device. This would make several security relevant features possible:
- Show the user a list of all known clients. The user can kick unknown devices.
- Notify the user via e-mail, if a login from a new device happened.
- In the MFA dialog, a checkbox with “Don’t ask on this device again” could be shown.
- During an enumeration/brute-force attack, unknown devices could be locked out, while known devices can still log in.
Google, Github, Mastodon, etc. implement features like this.
One thing to consider: People who always use private browsing modes could get annoyed, because they would always get an e-mail after a login. Github for example allows to optionally disable those notifications.
In a similar fashion, a list of currently authorized apps (OAuth) could also be shown in the security tab of the user profile.
This is how it looks like in Github (I blanked out the city and IP address):