Caution: my English is far from perfect. (Русский тоже не всегда хорош).

Monday, 26 September 2022

Only Persistent LogIn

Google login dialog does not have the "stay signed-in" checkbox anymore - you session is always persistent. Once logged in, this web browser will have access to your account even after reboot.

 


Yandex does the same:


How insecure.

In case of Google, if that's really the first time you login on this machine, there is a hint: "Not your computer? Use a Private Window to sign in."

But that is my computer. And this hint is only shown if you have never logged in from this computer's web browser. If you were logged in and then logged out, Google remembers the login name (presented in the combo box in the first screenshot), and there is no option to avoid persistent session and no hint to use a private window.

Yandex does not have even this.

Why are such bad practices getting adopted? Is that a by-product of multi-factor authentication spread everywhere? People are annoyed that together with password they need to reach for their phone, so lets not log them out at all?

Or is that because people never restart web browsers now? Always hibernate laptops, and on mobile devices browsers just stay open forever? But then it would be better to make sure the cookies expire in, say, 30 minutes of inactivity, even if browser is not restarted.

Or some other reason?

Update: I initially wrote "the "remember me" checkbox", but the proper name is "stay signed-in for N days". Simply speaking, I want a choice between persistent cookie or session cookie for the auth token. I don't mind so much the login name remembered unconditionally. But only name, not access to the account.

No comments:

Blog Archive