User rant: I hate where this new Internet is going. Instead of having a username and a few secure hardware tokens that I can use to log in from any internet cafe [1] on the planet, I am now subjected to a barrage of suspicious "Is this you? Is this really you? Are you sure this is you?" inquiries every time I so much as take a trip out of state. It seems like the next step will be a requirement to show a Government ID every time I access the Internet from outside my house.
"Passwords are insecure" is not a good enough rebuttal to this, honestly. We have far more robust authentication methods available; and it's possible to make them standard and avoid this "Remember me" nonsense. Instead, we get all of it for what seems to be the sole purpose of even more user tracking.
"Is this you?" mode is (now) called Risk-based Authentication [1] [2] [3], although it's been around in various forms for over 15 years. It's an important part of defense-in-depth for user-facing application security. Without it, it would be much easier to attack the vast majority of user accounts, because most people are not as secure as you might be, and authentication methods and strengths/weaknesses vary.
Thanks to lovely "2FA" methods (more likely RFA) like described here, I am currently locked out of my 15+ year old Google account that I no longer use, as they require me to provide them a verification code from an old Android phone I sold over 5 years ago. I contacted Google support - they can't do nothing, even though I could provide every single piece of data about the account imaginable - including stuff like the IP ranges that the account was accessed from most of the time, devices linked etc. - sadly, I suspect no real human sits in front of their support chat...
You're not thinking long-tail enough. Once a service reaches a certain size you have to deal with every single kind of failure.
* User forgot their password.
* User's authentication token was eaten by an alligator.
* User's phone fell down a well.
* User's phone broke and they got a new number from their carrier.
* User's phone, laptop, and hardware token were lost by an airline.
* User's phone and backup codes were simultaneously lost in a fire.
* For Google specifically, user lost access to their email and didn't have a recovery set up.
If you can reasonably authenticate them using any means you probably should let them because every time you have to fall back to human customer support it's $$$. Remembering a password is one of the few things that's resistant to life's bullshit but it's also incredibly insecure so this is the compromise.
One aspect we're not thinking about is the customer service cost to a world without passwords. If you forget your password, they just email you a new one. What happens if you lose your bank's 2FA token and miss a payment deadline? "Too bad so sad," is the HN answer, but customers will move their money elsewhere. So now you need a budget for a call center, replacing hardware tokens with overnight shipping, and the "oops we'll pay the late fee for you", at least in the early days. (Once it's "normal" then those benefits will go away, but who is going to keep their money in a bank where they need to carry around something on their keychain, and if they lose it, they lose all their money? Nobody. You have to really smooth over the jarring transition, and that's expensive.)
Meanwhile "are you sure it's you?" questions are free; pay a software engineer to write them, never touch it again, no matter how many customers you have.
So I guess the question you have to answer, is how can a company make more money off of you by changing how you authenticate? If you show them the $$, they'll show you the WebAuthn.
Every single thing that I ever log into that does any kind of risk-based authentication triggers on me almost every single time (well over 90% of the time). Even things like Zoom installed locally on my laptop when I had to switch accounts for a couple of hours last week, when I went to switch back to my main account insisted on doing a code because I was allegedly logging in from a new location or device. (Aside: I have no idea why they present “switch accounts” and “sign out” as though they were different things. You’re fully signed out either way and have to sign in again.)
My only sins are having a dynamic IPv4 address, using Linux, using Firefox, and for some of them using Private Browsing windows for temporary sessions.
If you do use a shared device, you should be using your own user profile on that device. Or, at least, your own browser profile.
You really shouldn't be logging into your sensitive accounts from a public device or computer anyway. Unchecking "remember me" will not make that secure, and to suggest otherwise is a bit misleading.
I feel like you're imagining scenarios you experience in a developed country. This is not representative of most people Google users in the world
Plenty of people use shared computer, especially in environments with low financial resources (ie people in developing economies, low income families in developed countries, etc). This accounts for hundreds of millions of not billions of people in the world
It's unrealistic to expect all these people to have a non-shared computer to use, and unrealistic to imagine the shared computer to be set up by someone tech savvy enough to create separate profiles for people.
If I were to pick a random library or local school in South America or Asia for example, I would bet they have a shared computer where you just sit down at a logged in windows profile
> You really shouldn't be logging into your sensitive accounts from a public device anyway.
This kind of functionality is required, for at least one reason: public access to computers in public libraries. So long as some government services can only be accessed online, you will need access to private email accounts from publicly available computers.
Logout after session end is quite useful in that situation, even if only as a backup to manually logging out.
1) Privacy: I have multiple accounts. I don't always want these linked to each other either. This is not only multiple Google accounts (personal and work) but also this leaks data since Google knows more about what accounts I have.
2) Security: Just because it is my computer doesn't mean it is always safe. I don't want someone to be able to login to other services just because I'm logged into one. This is akin to being logged into your password manager but with less control since you can't login to a site you need and logout of your manager. Security is often about creating barriers.
3) Centralization: power/influence grows faster than linear with respect to control. Or we may refer to this as momentum. We don't want Google, or anyone, to have control over something so important like the internet. The distribution is essential. While centralization can be good, too much can stifle innovation. That's the whole problem with monopolies (which don't need to have absolute control, but just significant).
4) Personal control: It is my computer, my data, and my accounts. Your services should be making things easier but also expand the amount of control that we have. Creating walled gardens goes back to 3. Potentially this can even create fissures. Having personal control also helps innovation. Being able to play around lets people find new ways to do new things.
No freaking way. It is a UX component where the website asks for something every commercial site should ask users before tracking:consent. If you leave that unchecked you are telling the site you don't want it to track the device information with your account information once you sign out.
However, Google doesn't give a shit about your consent. Whether you like it or not your device information will be tracked along with your account information and they don't even need you to ever signin to begin with either.
This isn't about security, it's about liability on Google's end. But from a security perspective, many users have shares computers at their homes (and even at work) and that isn't a situation they can avoid. Even with different user profiles having the right permission means your browser profile can be accessed by someone else. Oh, and guess what? Even in america poor people use shared computers at libraries and schools and they sometimes forget to sign out of the OS account profile after closing the browser.
Isn’t it overall good hygiene to have different accounts for different purposes ?
When switching Google accounts you’ll probably don’t want it to have permanent logging cookies, especially if you’re in a pinch and not in the appropriate context (e.g. looking at your family mail from your work computer to quickly get an important message)
Putting the data management responsibility on the user is kind of a dick move, at the same level as all the opt-out garbage we have to deal with.
This isn’t about security, it’s about privacy and tracking consent. Leaving “remember me” unchecked means the user only wants (the equivalent of) a session cookie, as opposed to a persistent cookie. The alternative is to have the browser delete persistent cookies on a per-site basis, or to always open a new “private mode” tab, but that is a lot less convenient to handle for the user.
If you're logged-in, it allows Google to bypass the low-fidelity third-party cookie tracking (that's increasingly being blocked) and use GAIA id instead.
I assumed that's the real takeaway-- they don't really want you logging out if they can avoid it.
I was highly annoyed by the "persistent login via Chrome" thing, because it feels like it breaks the expected seperation of concerns-- the stuff inside the browser frame should stay inside the browser frame.
For Workspace, you can set a timeout to automatically log you out after a certain time. I'm not sure if this feature exists for regular accounts though, however even if it did it will not accomplish what you're suggesting which is to only remember you until you restart your computer. If you want to do that, then opening in a private window is the correct solution.
There also exists extensions and apps that can delete session data automatically, and Chrome has policies you can specify to only remember cookies for specific sites.
I used to come to HN for more even-tempered high-IQ discussion but it seems to be devolving into the toxicity that ruins all online forums i.e. being outraged about something from a very limited perspective, accusing big corporation of evil-doing, and generally not appreciating the nuances of a complex problem.
Might I suggest commenting on said missed nuances in the relevant subthread(s) rather than unconstructively blaming the community of being bad now as a whole?
I don't think there is a culture of discussion here. If you write something that the majority does not like, they are very likely to attack you directly.
Persistent sessions are not a problem – not having any security could be (E.g. Auto logout on location or IP change, and especially two-factor authentication on various actions), but that would still be depending on the user and various circumstances. The lowest common denominator should not be defining our security practices.
Point is, it is a huge bad practice to automatically log people out without their consent to do so, and it is one of the most horrific annoyances on the sites that do it.
I am not even sure I want that kind of bullshit on my banking accounts, since they got two-factor authorization on account actions anyway. I can not count the amount of times I have lost something I was writing because a site logged me out before I could finish what I was doing.
I just clear all the browser persistent data every time I leave. It probably is possible to recover the cookies using some low-level unerase tools but this still feels better than nothing.
They probably ran some analytics and found majority of users use the same device and for them "Remember Me" is an annoyance. I honestly want to see more companies adopt this. It is a broken experience when you open a site and it asks you to login again on the same device, given you used the site not long ago on the same device. I want the sites to haver a robust security in the backend systems but not make users do the work for them.
My complaint is precisely the opposite: most places that have “remember me” checkboxes have nerfed them to the point of genuine uselessness, and way too many services don’t even pretend to let you stay logged in for more than ten minutes and aggressively log you out with no notice. All in clear violation of WCAG, I might add, which conventionally has at least some legal weight in a number of countries.
The problem with short sessions is that users who do not think about them sign in more often. This makes typing your credentials more normal and makes phishing attacks more common. Reducing the rate at which users enter credentials is generally a good thing.
Users who are thinking about having a short session know how to clear site history when they are done, or click "sign out".
Well, my interest is exactly to enter the password more often, so that I do not forget it.
Your reasoning is questionable. Fishing attacks more likely? Maybe yes, maybe no. I personally am very cautios of any login initiated from email and other messages.
I do not know how to clear site history (how?), and do not want whole history cleared; it is useful to have login names saved, for example. I only want an option to not keep the browser signed-in persistently.
Manual sign-out from every site I have in many browser tabs is not practically reliable.
[+] [-] quadrifoliate|3 years ago|reply
"Passwords are insecure" is not a good enough rebuttal to this, honestly. We have far more robust authentication methods available; and it's possible to make them standard and avoid this "Remember me" nonsense. Instead, we get all of it for what seems to be the sole purpose of even more user tracking.
----------------------------------------
[1] Remember those? A refresher if you don't: https://www.youtube.com/watch?v=iWssRVJgPqc
[+] [-] 0xbadcafebee|3 years ago|reply
[1] https://riskbasedauthentication.org/ [2] https://www.okta.com/identity-101/risk-based-authentication/ [3] https://www.beyondidentity.com/blog/what-risk-based-authenti...
[+] [-] 71bw|3 years ago|reply
[+] [-] Spivak|3 years ago|reply
* User forgot their password.
* User's authentication token was eaten by an alligator.
* User's phone fell down a well.
* User's phone broke and they got a new number from their carrier.
* User's phone, laptop, and hardware token were lost by an airline.
* User's phone and backup codes were simultaneously lost in a fire.
* For Google specifically, user lost access to their email and didn't have a recovery set up.
If you can reasonably authenticate them using any means you probably should let them because every time you have to fall back to human customer support it's $$$. Remembering a password is one of the few things that's resistant to life's bullshit but it's also incredibly insecure so this is the compromise.
[+] [-] jedberg|3 years ago|reply
It took so long the conversation was over before I had my answer. I had to do 2-factor auth, then another verification, then click a link in my email.
I understand why they do it, because the alternative is a lot of stolen accounts. But there must be a decent middle ground here.
[+] [-] jrockway|3 years ago|reply
Meanwhile "are you sure it's you?" questions are free; pay a software engineer to write them, never touch it again, no matter how many customers you have.
So I guess the question you have to answer, is how can a company make more money off of you by changing how you authenticate? If you show them the $$, they'll show you the WebAuthn.
[+] [-] hombre_fatal|3 years ago|reply
What are more popular but casual apps where this is happening out of curiosity?
[+] [-] systemvoltage|3 years ago|reply
[+] [-] Rygian|3 years ago|reply
[+] [-] chrismorgan|3 years ago|reply
My only sins are having a dynamic IPv4 address, using Linux, using Firefox, and for some of them using Private Browsing windows for temporary sessions.
The whole approach is manifestly bankrupt.
[+] [-] nostromo|3 years ago|reply
If you do use a shared device, you should be using your own user profile on that device. Or, at least, your own browser profile.
You really shouldn't be logging into your sensitive accounts from a public device or computer anyway. Unchecking "remember me" will not make that secure, and to suggest otherwise is a bit misleading.
[+] [-] quantumsequoia|3 years ago|reply
Plenty of people use shared computer, especially in environments with low financial resources (ie people in developing economies, low income families in developed countries, etc). This accounts for hundreds of millions of not billions of people in the world
It's unrealistic to expect all these people to have a non-shared computer to use, and unrealistic to imagine the shared computer to be set up by someone tech savvy enough to create separate profiles for people.
If I were to pick a random library or local school in South America or Asia for example, I would bet they have a shared computer where you just sit down at a logged in windows profile
[+] [-] falcolas|3 years ago|reply
This kind of functionality is required, for at least one reason: public access to computers in public libraries. So long as some government services can only be accessed online, you will need access to private email accounts from publicly available computers.
Logout after session end is quite useful in that situation, even if only as a backup to manually logging out.
[+] [-] godelski|3 years ago|reply
1) Privacy: I have multiple accounts. I don't always want these linked to each other either. This is not only multiple Google accounts (personal and work) but also this leaks data since Google knows more about what accounts I have.
2) Security: Just because it is my computer doesn't mean it is always safe. I don't want someone to be able to login to other services just because I'm logged into one. This is akin to being logged into your password manager but with less control since you can't login to a site you need and logout of your manager. Security is often about creating barriers.
3) Centralization: power/influence grows faster than linear with respect to control. Or we may refer to this as momentum. We don't want Google, or anyone, to have control over something so important like the internet. The distribution is essential. While centralization can be good, too much can stifle innovation. That's the whole problem with monopolies (which don't need to have absolute control, but just significant).
4) Personal control: It is my computer, my data, and my accounts. Your services should be making things easier but also expand the amount of control that we have. Creating walled gardens goes back to 3. Potentially this can even create fissures. Having personal control also helps innovation. Being able to play around lets people find new ways to do new things.
[+] [-] badrabbit|3 years ago|reply
However, Google doesn't give a shit about your consent. Whether you like it or not your device information will be tracked along with your account information and they don't even need you to ever signin to begin with either.
This isn't about security, it's about liability on Google's end. But from a security perspective, many users have shares computers at their homes (and even at work) and that isn't a situation they can avoid. Even with different user profiles having the right permission means your browser profile can be accessed by someone else. Oh, and guess what? Even in america poor people use shared computers at libraries and schools and they sometimes forget to sign out of the OS account profile after closing the browser.
[+] [-] contravariant|3 years ago|reply
Not sure if any browser has such an option.
[+] [-] zhte415|3 years ago|reply
And it is sad that's an outdated concept.
[+] [-] makeitdouble|3 years ago|reply
When switching Google accounts you’ll probably don’t want it to have permanent logging cookies, especially if you’re in a pinch and not in the appropriate context (e.g. looking at your family mail from your work computer to quickly get an important message)
Putting the data management responsibility on the user is kind of a dick move, at the same level as all the opt-out garbage we have to deal with.
[+] [-] layer8|3 years ago|reply
[+] [-] forgotmypw17|3 years ago|reply
Many others do not have a device of their own at all.
I think they should be able to access their email.
[+] [-] avodonosov|3 years ago|reply
[+] [-] classichasclass|3 years ago|reply
[+] [-] brokenmachine|3 years ago|reply
[+] [-] e40|3 years ago|reply
https://addons.mozilla.org/en-US/firefox/addon/multi-account...
[+] [-] thoweui4o2343|3 years ago|reply
[+] [-] hakfoo|3 years ago|reply
I was highly annoyed by the "persistent login via Chrome" thing, because it feels like it breaks the expected seperation of concerns-- the stuff inside the browser frame should stay inside the browser frame.
[+] [-] vore|3 years ago|reply
[+] [-] encryptluks2|3 years ago|reply
There also exists extensions and apps that can delete session data automatically, and Chrome has policies you can specify to only remember cookies for specific sites.
[+] [-] benknight87|3 years ago|reply
[+] [-] lucb1e|3 years ago|reply
[+] [-] newbieuser|3 years ago|reply
[+] [-] JacobSeated|3 years ago|reply
Point is, it is a huge bad practice to automatically log people out without their consent to do so, and it is one of the most horrific annoyances on the sites that do it.
I am not even sure I want that kind of bullshit on my banking accounts, since they got two-factor authorization on account actions anyway. I can not count the amount of times I have lost something I was writing because a site logged me out before I could finish what I was doing.
[+] [-] Taniwha|3 years ago|reply
Really needs a ! rather than a ?
[+] [-] qwerty456127|3 years ago|reply
[+] [-] lucb1e|3 years ago|reply
[+] [-] rajeshp1986|3 years ago|reply
[+] [-] chrismorgan|3 years ago|reply
[+] [-] happyopossum|3 years ago|reply
This is simply Google skipping the 'enter your email' text box, which I'd imagine most people are happy about.
[+] [-] avodonosov|3 years ago|reply
Simply speaking, persistent cookies are used unconditionally, while in the past the unchecked "remember me" was setting session cookie instead.
The first screenshot (the one with user name already filled) is when you explicitly log out and then login again.
[+] [-] mgraczyk|3 years ago|reply
The problem with short sessions is that users who do not think about them sign in more often. This makes typing your credentials more normal and makes phishing attacks more common. Reducing the rate at which users enter credentials is generally a good thing.
Users who are thinking about having a short session know how to clear site history when they are done, or click "sign out".
[+] [-] avodonosov|3 years ago|reply
Your reasoning is questionable. Fishing attacks more likely? Maybe yes, maybe no. I personally am very cautios of any login initiated from email and other messages.
I do not know how to clear site history (how?), and do not want whole history cleared; it is useful to have login names saved, for example. I only want an option to not keep the browser signed-in persistently.
Manual sign-out from every site I have in many browser tabs is not practically reliable.