Essays mature
This idea is complete, spare the occasional tending.

series: Login Bingo

by Matthew Lyon  • 

It’s time to go log in to the system to do the thing. You’re not sure when you last used it… maybe yesterday, maybe last month? Not that long ago. Whatever the case, after entering your username and password, you’re presented with a Multifactor Authentication challenge, with a checkbox to “remember me on this trusted device”. You complete the challenge and click the box, thinking vaguely that you clicked it last time.

Next week, you need to log in again, and notice that, despite having checked the remember me on this device box, you’re again prompted with an authentication challenge and a box to check to remember you on this device.

Eventually you stop checking the box, realizing it does effectively nothing.

I’ve referred to this anti-pattern before as Lies, Damned Lies, and “Remember This Device”. There are a multitude of reasons why this behavior may occur, but the legitimate ones are few and far-between – the main one being that the user’s browser has privacy modes cranked up and purges cookies – someone who has these setting enabled is probably aware of it and will generally not be frustrated by it.

In planning out this series, I investigated a number of sites I use on a regular basis to try to determine why their affordance for opting in the device to a trust factor isn’t working, and found:

  • The cookie for storing this bit was on an entirely unrelated domain name from where the website form is submitted to or hosted on – something many browsers now prevent by default

  • The cookie is set with a ridiculously short Expires or Max-Age parameter – in one case, half an hour

  • The cookie is not set with a Expires or Max-Age parameter, which makes them Session Cookies and deleted when the browser shuts down

  • The cookie is set with incorrect Domain, Secure, or SameSite headers

  • No cookie is set; perhaps the website is attempting some other mechanism for remembering this browser, such as Device fingerprinting, though this strikes me as both ridiculous and insecure

  • The cookie is invalidated because I had checked this box on another device and apparently I am only allowed one trusted device at a time

  • Some other issue unknowable from debugging their front-end; everything looks right, probably a bug in their implementation

Whatever the excuse, this minor frustration is the butt of jokes. It reinforces a feeling that the website isn’t implemented properly, and therefore unworthy of trust. Ironically, removing the feature entirely and requiring an authentication challenge on each login attempt would curtail this feeling, a case where doing less achieves more.