Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code:
…doesn’t seem to work. What’s up with that?
A: Unfortunately, there’s no easy answer here. There is no browser standard for how to implement a feature like this, so different websites behave differently.
Virtually all of these systems are dependent upon storing some sort of long-lived token within one of the browser’s storage areas (cookies, DOM storage, IndexedDB, etc). Anything which interferes with your browser’s storage areas can cause the long-lived token to disappear, and there are many different features and operations that can cause one or more storage items to disappear, including privacy controls, 3rd party utilities, user-actions, use of multiple browser channels, and so on. (Please see the blog post for a more comprehensive list).
Similarly, depending upon how the site is coded, privacy features like Edge’s Tracking Prevention might interfere with storage of the token to begin with.
Even if the token is successfully stored by the website and preserved for later visits, the server might choose to ignore it.
- Some sites will ignore a cached token if the visitor appears to be coming from a significantly different geographic location, e.g. because you’ve either moved your laptop or enabled a VPN.
- Some sites will ignore a cached token if some element of the user’s environment changes: for instance, if the browser’s configured languages are different than when the token was stored.
- We encountered one site whose auth flow broke if the browser’s
User-Agent
string changed– this site broke when we tried to fix a compatibility issue by automatically overriding the User-Agent value. - Some sites will expire a cached token after a certain (often undocumented) timeframe.
- Some sites will expire a cached token if some other security setting in the account is changed, or if there are signs that the account’s login is under bruce-force attack.
- Some sites simply change how they work over time. For example, Fidelity recently sent an email to customers with 2FA announcing that they’ll no longer respect a “remember this device” option:
- Some sites will expire a cached token if some other risk heuristic triggers (e.g. a user begins logging in at an unusual time of day, etc).
Debugging
Debugging problems like this is often non-trivial, but you might try things like:
- Watch the F12 Developer Tools’ console to look for any notes about storage being blocked by a browser privacy feature, or a JavaScript exception.
- See if the “Remember me” behavior works once from the same browser instance.
- See if the “Remember me” behavior works after restarting the browser.
- See if the “Remember me” behavior works properly in a different browser or channel.
- Poke through the F12 Developer Tools’
Application
tab to see what sorts of Storage the site’s login flow is writing.
Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-2022, working on Office, IE, and Edge. Now a SWE on Microsoft Defender Web Protection. My words are my own, I do not speak for any other entity. View more posts