Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code:
…doesn’t seem to work. What’s up with that?
A: Unfortunately, there’s no easy answer here. There is no browser standard for how to implement a feature like this, so different websites implement it differently.
Virtually all of these systems are dependent upon storing some sort of long-lived token within one of the browser’s storage areas (cookies, DOM storage, IndexedDB, etc). Anything which interferes with your browser’s storage areas can interfere with the long-lived token:
- Depending upon how the site is coded, privacy features like Edge’s Tracking Prevention might interfere with storage of the token to begin with.
- There are many different features and operations that can cause one or more storage items to subsequently be become inaccessible. For example, privacy controls, 3rd party utilities, user-actions, use of multiple browser channels, and so on. (Please see the blog post for a more comprehensive list).
Even if the token is successfully stored by the website and is available on later site loads, the server might choose to ignore it.
- Some sites will ignore a cached token if the visitor appears to be coming from a significantly different geographic location, e.g. because you’ve either moved your laptop or enabled a VPN.
- Some sites will ignore a cached token if some element of the user’s environment changes: for instance, if the browser’s configured languages are different than when the token was stored.
- We encountered one site whose auth flow broke if the browser’s
User-Agentstring changed– this site broke when we tried to fix a compatibility issue by automatically overriding the User-Agent value.
- Some sites will expire a cached token after a certain (often undocumented) timeframe.
- Some sites will expire a cached token if some other security setting in the account is changed, or if there are signs that the account’s login is under bruce-force attack.
- Some sites simply change how they work over time. For example, Fidelity recently sent an email to customers with 2FA announcing that they’ll no longer respect a “remember this device” option:
- Some sites will expire a cached token if some other risk heuristic triggers (e.g. a user begins logging in at an unusual time of day, etc).
Debugging problems like this is often non-trivial, but you might try things like:
- See if the “Remember me” behavior works once from the same browser instance.
- See if the “Remember me” behavior works after restarting the browser.
- See if the “Remember me” behavior works properly in a different browser or channel.
- Poke through the F12 Developer Tools’
Applicationtab to see what sorts of Storage the site’s login flow is writing.