Perpetual Cookies

July 31, 2016

When you pop open and start using Uber’s app on your iPhone, you drop a pin, hit the “request” button, and a car shows up minutes later. Furthermore, the flow stays that simple even if you haven’t used the app in months.

Contrast that to a typical desktop app (which in today’s world, are invariably written to be used from a web browser), and there’s a major difference: the addition of a single time consuming and highly abrasive step: a login screen; often coupled with a secondary two-factor challenge.

There was a time where shared computing environments were widespread where aggressive session expiration was effective protection against people forgetting to log out of their accounts, but times have changed, and most of us are using personal computers with full disk encryption, strong passwords, automatic screen locking, and web browsers far better vetted for security. I’d personally be far more confident that my stolen laptop would be secure compared to my iPhone protected by provably-breakable Apple technology (Touch ID) or a short four-digit PIN.

Maybe the most frustrating part is that in many cases expiration policies are inversely proportional to the sensitivity of the account. Google gives me about two weeks of runway on Gmail, a vault of paramount importance given that it can be used to reset passwords on every other account that I own, but my public library logs me out every single day despite that even if it were to be compromised, minimal damage would be possible.

Pundits might justify the current state of affairs as a measure to maintain security even for the lowest common denominator; that is for people on older machine/OS combinations, or who are logging in from their local library. This argument holds some weight, but is losing relevance with every passing day.

What if we started introducing “perpetual cookie” options to allow users to indicate that they trust their own environments? There’s an inherent trade-off between security and the lifetime of a web cookie, and for many of us today, it’s one that we’d be comfortably willing to make. The setting could be even be buried deep in advanced options, and thereby be kept safely out-of-reach for novice users.

Perpetual Cookies was published on July 31, 2016.

Find me on Twitter at @brandur.

Did I make a mistake? Please consider sending a pull request.