Back

"Remember me", "Keep me signed in", and "Remember this device" aren't the same thing

Sviatoslav Nytka
Sviatoslav NytkaSenior Product Designer at TechMagic
TLDR: "Remember me", "Keep me signed in", and "Remember this device". They're constantly confused, by users and by the products labelling them. They do three different things with three different risk levels: remember your email, keep your session alive, or skip your MFA. Pick the right one, label it precisely, provide clear explanation, and never quietly default the risky ones on.

Here's the real problem in practice: in one product, "Remember me" only saves your email address. In another, "Remember me" silently keeps you signed in and provides no explanation. From the label alone, users can't tell the difference, so they can't make an informed choice. Many products use these labels interchangeably, but these actions are not the same.

  1. Remember me – saves the identifier. The original meaning, and the safest. It stores your email or username on the device so the field is pre-filled next time. The password is still required. Nothing that grants access is saved.
  2. Keep me signed in – keeps the session alive. Also seen as "Stay signed in". This persists your authenticated session well past the normal timeout, so closing the browser doesn't log you out. You skip re-authentication for days or weeks. Convenient, but now anyone with access to the device is already inside.
  3. Remember this device – skips MFA. Also "Trust this computer". This marks the device as trusted so your second factor isn't requested on future logins for some window, often 30 days. This is the one that turns off your strongest protection on that device.
Victoria Shutenko
Victoria ShutenkoSecurity Engineer at TechMagic

The useful way to think about risks is by what each one actually persists.

  1. "Remember me" persists an identifier. There's no credential and no session stored, so the worst case on a shared device is that the next person sees which email was used. Low risk.
  2. "Keep me signed in" persists a session – a long-lived cookie or token. Anyone who can use the device, or who steals that token through malware or a cross-site scripting flaw, gets in without ever knowing the password. The exposure window is the whole lifetime of that session. High risk when used in shared devices.
  3. "Remember this device" persists a decision to skip the second factor. That's high risk, because it removes the control that's supposed to save the account when the password is phished or reused. If the password later leaks and the device is trusted, there's nothing standing in the way.

What good UX looks like

  1. Use distinct, accurate labels. Don't call session persistence "Remember me". If the box keeps a session, say "Keep me signed in"; if it skips the second factor, say "Remember this device". The label is the user's clue.
  2. Explain it where the decision happens. Tooltip or a short line at the checkbox: what's stored, for how long, and what isn't.
  3. Match the default to the risk. Remembering an email can be low-stakes. Keeping a session alive and skipping MFA should never be silently on – they're opt-in choices the user makes deliberately.
SG Markets. "Remember my login email" with a tooltip that spells it out – it saves the email on the device and explicitly not the password.
Adidas. "Keep me logged in. Applies to all options." – a clear 30-day explanation that tells users to pick it only on devices they control. Note that users will be automatically logged out after 30 days. This provides a much better balance between security and convenience than keeping users signed in indefinitely.
eBay. "Stay signed in" with a note that it persists the session but may still ask for re-authentication on sensitive activities – a good example of step-up auth explanation.
Walmart. "Keep me signed in" on the verification step, with a plain "Uncheck if using a public device" prompt directly under it. One more good example of step-up auth explanation.
eCatholic. "Remember this device" stated precisely – it skips 2FA for 30 days, with a clear warning not to use it on a public or shared device.
Dropbox. "Trust this computer" – explains that a trusted computer won't be asked for a code again, and that you should trust it only if you trust everyone who uses it.

Bottom line

"Remember me", "Keep me signed in", and "Remember this device" are three controls, not three names for one. They remember an email, hold a session, and skip a MFA. Label each for what it does, explain it clearly, keep them off by default and warned for shared devices.