Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Cookie-based security alerts are a dark pattern
14 points by torstenvl 9 days ago | hide | past | favorite | 12 comments
In the wake of measures like the GDPR, it seems like websites are increasingly making it as arduous as possible not to let them keep long-term cookies on your computer. One particularly insidious dark pattern is to bombard people with notifications and e-mails on every sign-on unless they allow persistent cookies.

Twitter is a particularly egregious offender. Amazon slightly less so.

If you do this, stop it. It teaches people to ignore legitimate security alerts. A user clearing their cookies is not a security threat.

Is this an explicit dark pattern, or just simplistic interpretation or misinterpretation of the allowed use of cookies? If you have a mandate to not allow any cookies or state to be kept client side, how will the site know to show or not the cookie approval notification? Twitter and Amazon should know better though. I've never seen persistent cookie notifications after logging in, which makes sense since the state of the cookie notification can be stored in the session data for having logged in.

I don't think I implied there should be a mandate not to use cookies. I simply don't think users should be harassed with fake security alerts for clearing them.

It's inaccurate to assume that clearing cookies on exit means that users need an email or notification along the lines of "Security Alert! An unrecognized device tried to access your account!"

All major browsers allow you to clear cookies. Advanced users are more likely to clear cookies on a regular basis. Twitter almost certainly knows this. In light of that, their behavior seems designed to induce people to allow Twitter cookies to persist rather than merely "Allow for session"

Also, wow you're in luck, queue the busses and fire hydrants because it's captcha week!

Sorry, I should have said "if one has a mandate…", I meant the "royal you".

The mandate I'm referring to is GDPR and CCPA, where a quick read might lead one to think that no cookies can be used and that every possible way that someone might think they are being tracked has to be acknowledged, so the websites err on the side of over notification.

This is just as much legislators not understanding anything about technology and technologists trying to both the minimum required and meet the letter of the law. It's not a good situation.

This post isn't about GDPR cookie popups. It's about security notifications.

What I hate the most is forced 2fa. Even if you disable 2fa, "ooops you logged in from a slightly different IP address. go check your email, sucker ;)"

2FA is a good idea. But it makes makes me nearly lose it when a phone number is required and they refuse to accept VOIP numbers.

Looking at you, Doordash, Discord, Twitter, etc

2fa is a good idea. Still, I think it should be my choice whether I use it or not. If I want to have an account that I can always log in just with my user and password, that should be possible.

I'd be happier with 2FA everywhere if it wasn't always tied to a mobile phone, whether it's app based or SMS. I don't want too much of my life dependent on a mid-line device manufactured by the Umidigi corporation. If it decides to go spicy-pillow tomorrow, or I just decide I want a new shiny device, I know it's going to be a full day of dancing around with IT support at work to get the work-related 2FA reset alone. SMS-based 2FA might be better from that UX perspective but it's vulnerable and basically seems like a vector for everyone to have an excuse to demand your mobile number which they totally won't use for marketing reasons later.

If the account security is important enough, you can afford to buy me a Yubikey.

I also feel like there's opportunities to rethink account management in general. There are a lot of accounts where you access them so erratically that there's good odds you'll hit "password expired, must reset now" or "this was set up back when I was on a different device and the 2FA didn't carry over." I'd love to see more sites using the "we'll send you a one-time login link" pattern. This leverages the security of the email account, which is more likely to be kept fresh because you actually use it. Carried to its logical conclusion, you could have accounts with no password on file, which reduces the value of the database for credential-reuse attacks.

Facebook too, it’s how I lost my 12-yo Facebook account due to VoIP phone number.

Still no available recourse to get it back.

The best user tracking method is a real phone number.

I suspect there might be a malicious reason for that: to dissuade you from using private browsing or clearing cookies.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact