In some cases, the user might even need to give approval within a mobile app before a risky action can be approved.  For example, if there is a login to their account with a valid password, but from an unusual location, then the user might see a screen like the one below.

If the user has their phone with them, then they would hear it beep or feel it vibrate.  The notification interace on the phone would then show the risk action that needs to be approved.  In this case it would be a sign in request.

If the user opens the notification, they could be shown details about the action that they can then confirm.

If the user did NOT have a phone with them (or maybe the phone was the device trying to sign into their account), then they could use a desktop/laptop, or other device that was already connected to their account to approve the request.