Published on

Why use suspicious login detction?

Security is part and parcel of a developers daily routine. It is expected that if you are handling customer data, your application is secure.

So we add 2FA, secure password policies, and other security measures to our applications. These measures, correctly, try to prevent breaches of customer accounts. Unfortunately, if you have ever ran large scale systems, you will know that people are the weakest link in the security chain. And sometimes leave their passwords on a post it note, share accounts with colleagues, or use the same password for every account.

Enter, suspicious login detection.

What is suspicious login detection?

Suspicious login detection is a system for verifying that the person logging into an account is the person who owns the account. It does this by looking at the login patterns of the user, and comparing them to the current login attempt. If the login attempt is suspicious, we can trigger email alerts, ask the user for more verification, or block the login attempt entirely.

Why use suspicious login detection?

This is a different way of looking at security than the traditional methods. Instead of trying to prevent a breach, we are trying to detect a breach. This is a more realistic approach to security, as it is impossible to prevent all breaches. Instead, we should focus on detecting breaches as soon as possible, and limiting the damage they can cause.

Lots of products like Google, Facebook and Todoist have suspicious login detection. Up until now, the only way to have this implemented in your application was to build it yourself. This is a time consuming process, and requires a lot of data to be collected and stored (therefore increasing your costs).

The solution I built was LoginLlama. It came out of noticing multiple companies asking me to build similar systems for them through my contracting work. I realised that there was a gap in the market for a suspicious login detection service that was easy to integrate, and didn't require a lot of data to be collected.

How Loginllama handles this

LoginLlama uses bolinger bands to detect suspicious login attempts. This is a statistical method that is used to detect outliers in a dataset. In this case, the dataset is the login attempts of a user. If a login attempt is outside of the bolinger bands, it is considered suspicious.

In addition to this, we feed this data to an AI model that gives us further weight to the suspiciousness of the login attempt. This allows us to detect more complex patterns, and gives us a more accurate score.

Based on the score, we let the API caller know if we think the login is suspicious. This can then be handled by the API caller in whatever way they see fit.


Suspicious login detection is a great way to add an extra layer of security to your application. It is a more realistic approach to security, and can help you detect breaches as soon as possible.

LoginLlama has a completely free plan for up to 1,000 logins per month. Try it for free now: LoginLlama.