Each sign in attempt is stored in the login table along with the device, browser and IP address. On each login attempt, the authController checks this table to check for suspicious activity based on past behaviour.
If the IP address, device or browser differs from what the user normally uses to sign in, they will be notified via email.