I would recommend moving loging with credentials from the client to the Launcher and making requirement to enter authentication PIN when new login is made from a new IP.
Authentication PIN could be sent via email or made like recovery key generated in website's account settings (automatically for new accounts, generating to existing accounts).
Or just notifying user by email if new connection is made from a new IP giving time to respond.
Problem for using email would be for all the alt accounts with different emails (and perhaps not all remember their credentials).
Issue for using generated recovery key is that some people will lose it and will require somehow recover account.
Also adding an option for enabling/disabling authentication key request for logging on account would be nice.
TLDR: requesting to enter generated KEY for a new IP login + always notify user via email if there is a new IP connection even if its disabled for account.
P.S. who else remember when DBOG went open source and Esdeath notified people to use different credentials when creating accounts on new servers for such matter 