Users should be able to report on their login history, including metadata like logged in devices and public IPs from which access was made. Features like this are available in many online and streaming services. This would alleviate concerns like I had where I received an erroneous support email and couldn't verify whether or not someone else may have logged into my account.
An additional feature that could be added into this is the ability to force logout old sessions when credentials are changed to ensure that extra users are pushed out if they do gain access to an account.