Why Apple's recent privacy changes impact the login experience on Safari
"If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it." – Tim Cook, Apple's CEO
Keeping users logged in on your site is a critical strategy for building a relationship with your user base accomplished by tracking user behaviours. Web engagement and retention strategies depend on that relationship. More than ever, once users logs in on your site, they expect to stay logged in unless they explicitly logout even over repeated visits. This experience has been impacted on Safari and this article examines why that happened.
Apple has steadily increased it's privacy restrictions since 2017, with the introduction of ITP, Intelligent Tracking Prevention. This March 2020, ITP made significant changes impacting the logon experience for most websites that use Safari, the second most used browser on the internet, which has 16.1% of the browser market share. It is the default browser on the iPhone, iPad and Mac computers. Ignoring Apple's privacy changes is not an option.
What is a Cookie?
A cookie is a small text file stored on your computer and managed by the browser—cookies store website information about the visitor. Cookies can be persistent or session-based. Most cookies are both client and server-based. Some cookies can be HTTP Only, meaning that only the server can set the cookie. A cookie is essential in the use case of keeping a user logged into your site.
There are two types of cookies to consider when looking at the logged-in experience.
First Party Cookies are cookies that are set by the website the user is visiting. For example, if you are visiting www.mydomain.com, the cookie will be set by that domain.
Third-Party Cookies are cookies that are set by domains the user is not directly visiting. When you visit www.mydomain.com, but a cookie is placed on the site by an advertising site, www.advertistingsite.com, that cookie would be considered a third-party cookie. Third-party cookies are standard on almost all websites where you find ads, chatbots, cross-site tracking or social plugins. Advertising firms also heavily rely on third-party cookies for retargeting campaigns. That is not the focus of this article, but if you want to find out more, you can look at this excellent summary.
In the context of a multi-domain website, where the login experience is shared across the domains using the primary domain is essential; otherwise, the cookie would be considered a third-party cookie.
With ITP 2.3, Safari is blocking all third-party cookies. Apple did this because it is concerned about the privacy of its users. Other industry leaders like Microsoft, Firefox and Google are either already doing the same or plan to do so soon, but Apple is the first significant player with a statistically significant user base.
Client-side cookies are deleted after seven days unless used for tracking, in which case they are removed in less than 24 hours. For the logged-in experience, if a user does not return to your site within seven days, they will find themselves logged out. Should the user return before the seven days are up, the cookie will be deleted seven days from the last visit.
Hence building high engagement and increasing the frequency of return visits with your user base becomes even more compelling and strategic.
Opportunities to Improve the User Experience
If you require users to sign in to access certain features or content consider the following goals:
Reduce friction around the login experience
Make it easy to have users to stay logged in on repeat visits.
Optimize the forgot password workflow.
The following articles provide examples and best practices for the User Login Experience.
UX Logout Lapse
An Unnecessarily Detailed look at the design of the login screen
Designing a user-friendly login
15 rules of user sign-in experience
There are distinct opportunities to revisit when examining the impact of ITP on the User Login.
Websites that provide users with a "remember me" option on the login screen are technically setting a cookie on that browser. Users have become accustomed to returning to the site and being automatically logged in - this is a configuration, so if the user comes back within thirty days, they are logged back in. Thirty days is an industry practice, not the rule. As previously mentioned, with ITP 2.3, that cookie will last for only seven consecutive days. This is a change for users and hence consider incorporating messaging that makes users aware. Specifically, AB test or user test messaging on the logged-in screen to inform Safari users of the enhanced privacy restrictions.
Forgot Password Flow
Track the number of logins and the "Forgot Password" CTA on your site. It is likely to go up on users of Safari. If users have to log in more often, they will tend to forget their password more frequently. Audit the forget password flow on your website and reduce friction where possible. Improving the flow can help to minimize the impact of ITP 2.3.
ITP is not centralized, and the stored cookies are specific to the user behaviour on their local machine. Login experiences are varied across the different platforms. This is not a new UX challenge but provides an opportunity to re-examine the login experience, especially on Apple Devices. Prioritizing Face ID, for example, could have better ROI than it did in the past if you are not already supporting it.
Also, consider redirecting traffic on an Apple Device to a native Mobile App, which becomes more compelling as you can control the login experience.
In Conclusion, users want to get onto your site and will not understand why they are continually asked to log back in. They won't blame Apple; they'll blame you. Addressing this both technically and through UI/UX improvements becomes imperative.
What Do You Think?
What do you think? Is your organization aware ready to deal with increased privacy concerns and deal with the rapidly changing the logon and logged in experience? What other things are you doing to mange the impact of ITP 2.3?