Require Out-of-Band (OOB) Acknowledgement For Unknown Location Sign-On

When a user account signs on from an unknown location, the user should be prompted via out-of-band communications (ex. email message) to confirm the sign-on from an unfamiliar location. This should apply to the geographic location associated with the sign-on, as well as signing on from a device that is new to the account.

This should be especially true in cases of impossible travel where a device has recently been used in one geographic area, and the sign on originates from a different area entirely. Similarly if the phone scanning a QR code is in a different geographic area than the desktop client presenting the code, it should prompt in this manner.

The message should indicate something along the lines of:

"We detected a potentially suspicious logon attempt on your account from <geographic location> on <device/client details>. This sign in was automatically blocked for your protection, as we didn't recognize the <location/device>.

If you do not recognize this sign on, please change your password. In order to protect your account, ensure you do not provide anyone your 2FA token code or password.

If you do recognize this sign-on, please click the link below to remember the <location/device> then sign in again. This link will not take you to a sign-in prompt. If you receive an email like this that does direct you to a sign-in prompt, that may be an attempt to compromise your account."

The link should then add the device/location to the known locations list associated with the account, and the user should be able to sign into the account from that device. You can make the link a button that says something like "I recognize this <device/location>." 

This will dramatically mitigate a common vector of account compromise, saving your support and billing staff countless hours of work remediating accounts that have been hijacked.