![\"sdet](\"/static/f2285f88357fa253a77cc37acde43ff8/0a47e/sdet_role.png\" "\\"sdet")
\n \nSDET stands for Software Development Engineer in Test, QA Engineer, or Testers. On the other hand, it can be a manual tester or Automation Engineer who does not participate in software development. SDET is often involved in developing testing-friendly code that is useful in scripting test cases or designing automation solutions. SDET is also engaged in the design, processes, and functionality level decisions of the software product.
\n\n\nPresently, several organizations, are demanding such SDET professionals who can develop the software and test the software developed.
\n
\n \n \n \n \n
\n\nTester or Quality Analyst who has good programming experience and developed the test automation framework can be promoted to a new role as SDET and can participate in the development cycle, acceptance testing, or unit testing.
\n
Automation Engineers or Quality Analysts are expected for more duties and more QA processing challenges over a general testing role like test planning, test environment setup, test execution, test-data preparation, performance, security testing, developing test automation tools, etc. In contrast, SDET is expected to have the domain knowledge to participate in designing the test cases.
\nSoftware Testing is an essential phase in the development cycle, and it takes lots of time and effort. Many other factors help reduce the efforts and timeline, which can be achieved by doing the Code Coverage, Unit Testing, and acceptance testing before delivering software to the QA stage. That's why hiring SDET helps them work for all those factors with the development team or designing the testing framework.
\nBenefits of SDET Professional:
\nSkill Set:
\nSDET is a tester or automation engineer with development experience who has exposure to testing techniques, QA testing process, automation frameworks, and software development & design techniques. SDET builds test automation tools and works with the development team and covers the code by unit tests and ultimately, it results in a quality software delivery
\n","frontmatter":{"date":"March 12, 2021","updated_date":null,"description":"A brief overview about the upcoming future of software testers and SDETs and the requirement of SDET role and responsibility in 2021.","title":"The Upcoming Future of Software Testers and SDETs in 2021","tags":["SDET","SDET vs Automation Engineer"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/3a1d79a880cd0db03b3642939f55be05/ee604/cover.png","srcSet":"/static/3a1d79a880cd0db03b3642939f55be05/69585/cover.png 200w,\n/static/3a1d79a880cd0db03b3642939f55be05/497c6/cover.png 400w,\n/static/3a1d79a880cd0db03b3642939f55be05/ee604/cover.png 800w,\n/static/3a1d79a880cd0db03b3642939f55be05/db955/cover.png 900w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Pareek","github":"rkpareek","avatar":null}}}},{"node":{"excerpt":"Cloud technology has become the focus of attention for organizations looking to increase productivity, scale up business goals and maintain…","fields":{"slug":"/engineering/effective-cloud-management-platform/"},"html":"Cloud technology has become the focus of attention for organizations looking to increase productivity, scale up business goals and maintain cost-efficiency.
\nIts regular optimization and security processes help match organizational targets with the added benefits of improved flexibility and accessibility, qualities bound to continue gaining focus in the future or work.
\nAs with any information technology, cloud computing involves the risks of reduced performance, lack of reliability, and environmental unsustainability if proper controls are not set in place. That’s where cloud management platforms come in.
\nCloud management refers to the management of all cloud infrastructure such as hardware, virtualized software, storage components, and networking servers. The control of resources and assets is employed for public, private, and hybrid cloud infrastructures.
\nSome well-known cloud infrastructures that you may be familiar with include software-as-a-service (SaaS), Infrastructure-as-a-service (IaaS), and Platform-as-a-service (PaaS). Google Drive is another popular favorite that manages your data through cloud storage.
\nTypically, cloud management consists of:
\nCloud management enables self-service measures for improved flexibility where IT specialists can access cloud-based resources, track usage, and allocate resources.
\nWith remote teams entering the new era of the workforce, cloud management services (CMS) can automate workflows, assist with remote desktop software, and secure data with greater compliance.
\nCloud management also includes cloud analysis which helps monitor workloads and user experiences. Depending on the size and complexity of business requirements, they can manage cloud services for testing performance, backup options, recovery systems, and monitoring logs.
\nSince the last year, most businesses have managed their resources and operations with the cloud through cloud migration. This shift will continue to rise soon, with companies adapting to grow their performance and revenue by automating operations and processes.
\nCloud management platforms are an integral part of managing cloud resources and infrastructure. Here’s how they help in business operations.
\nCloud management is the best approach to adhere to cloud optimization practices. It heavily cuts down on user chargeback and billing costs since it essentially acts as a guide to navigating between different vendor pricing models. Cost efficiency is also maintained by choosing the right size of cloud applications for your business.
\nOne of the significant goals of cloud management is also to improve application performance through relevant tools and cloud architecture by reducing energy consumption.
\nIn a nutshell, CMS allows businesses to gain more control over their public cloud environments while minimizing costs, increasing security, and using expert knowledge to promote user efficiency with little to no human assistance.
\nA cloud management platform (CMP) or cloud management tool is software that incorporates a collection of features or modules that allow various cloud environments to be controlled. Cloud management platforms are significant because a simple virtualization management console cannot control public, private, and hybrid clouds at once.
\nTo maximize resources and service usage, businesses should adopt cloud management platforms to optimize invested cloud infrastructure.
\nCMPs are tools that sit above cloud platforms such as IaaS (Infrastructure as a Service), SaaS (Software as a Service), and PaaS (Platform as a Service). They can quickly gather business tools, processes, and technologies, to promote cloud environment management.
\nManaging your cloud services is a great way to manage several infrastructures at once. Using cloud management platforms makes this even simpler by giving you a one-stop-shop for all your operational, financial, storage, and privacy needs for cloud environments.
\n","frontmatter":{"date":"March 10, 2021","updated_date":null,"description":"Cloud management platforms are an integral part of managing cloud resources and infrastructure. They are a real asset, especially for a modern and remote workforce. Here’s how they help in business operations.","title":"Why You Need an Effective Cloud Management Platform","tags":["Cloud","Cloud Management"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/f34406d2bc8690d05cf3d3c6796a7ff4/bc59e/cover.png","srcSet":"/static/f34406d2bc8690d05cf3d3c6796a7ff4/69585/cover.png 200w,\n/static/f34406d2bc8690d05cf3d3c6796a7ff4/497c6/cover.png 400w,\n/static/f34406d2bc8690d05cf3d3c6796a7ff4/bc59e/cover.png 512w","sizes":"(max-width: 512px) 100vw, 512px"}}},"author":{"id":"Aayushi Sanghavi","github":null,"avatar":null}}}},{"node":{"excerpt":"Adaptive Authentication (also known as Risk-based Authentication) is a method to send notifications or prompt the consumers to complete an…","fields":{"slug":"/engineering/what-is-adaptive-authentication/"},"html":"Adaptive Authentication (also known as Risk-based Authentication) is a method to send notifications or prompt the consumers to complete an additional step(s) to verify their identities when the authentication request is deemed malicious according to your organization's security policy. It allows users to log in using a username and password without presenting any additional authentication barrier while providing a security layer whenever a malicious attempt is made to access the system.
\nAdaptive Authentication analyzes the user interaction with your application and intelligently builds a risk profile based on the consumer behavior or your organization's security policy. The system creates a user. You can define the risk factors in one of the following ways:
\nYou can define one or more risk factors based on your business requirements:
\nUser Role: The employees with higher user roles in the system can perform sensitive actions; hence, you can ask them to perform additional steps to complete the authentication. The employees with lower user roles pose a lower security risk and can log in with usernames and passwords for a frictionless user experience.\nAccessing sensitive resource: You can also ask the employees to perform additional authentication steps when they try to access a sensitive resource like financial statements,
\nPerform sensitive actions: If the employees are trying to perform sensitive actions like edit or delete actions on the sensitive information, they can be asked to verify the identity with additional steps.
\nLocation: The employees are trying to login into a system using a public network instead of the office network.
\nDevice: If employees use their personal laptop instead of using a company-issued laptop.
\nMost systems build a risk profile based on a consumer's recent interaction with your applications. The system generally leverages machine learning to create this profile on the fly. Here are the common risk factors:
\nCountry: The system can trigger actions and notifications if the consumer is logged in from a different country. e.g., If the consumers travel outside of their country of residence and try to access the system, some financial instructions like credit card companies block the access for the consumers to the system. These companies require you to inform the companies before leaving the country to whitelist the country for your account in the system.
\nCity: If the consumer has logged in from a different city than he usually logs in from, it will trigger Adaptive Authentication. Once the consumer completes the Adaptive Authentication for the new city, the city can be added to the system for future Logins without the Adaptive Authentication.
\nDevice: If the consumer tries to login in from a new device, the request will be flagged as malicious under the Adaptive Authentication. Once the consumer completes the Adaptive Authentication for the new device, the city can be added to the system for future Login without Adaptive Authentication.
\nBrowser: If the consumer was logging from the Chrome browser and suddenly tries to log in from the Firefox browser, the authentication attempt will be deemed malicious and trigger the Adaptive Authentication. Once the consumer completes the Adaptive Authentication step, it will whitelist the browser for future authentication attempts for the consumer account.
\nYou can also combine the Pre-defined factors (as mentioned above) and Dynamic factors to trigger the Adaptive Authentication.
\nWhenever an authentication request is deemed as a malicious attempt based on the risk factors defined for your application, it can trigger one or more of the following actions according to your business requirements:
\nEmail Notification: An email is sent to notify the consumer about the authentication request. If the consumer found the authentication request malicious, they can inform the company to take appropriate actions.
\nSMS Notification: An SMS is sent to the consumer's phone numbers to notify the consumer about the authentication request. It gives an advantage as the consumer checks the SMS more frequently than email, or the consumer might not have access to the email all the time. If the consumer found the authentication request malicious, they can inform the company to take appropriate actions.
\nMulti-Factor Authentication: The consumer is asked to verify the identity with the second factor of authentication. This factor can be configured in many ways as per your business requirements. Please see my blog on Multi-factor Authentication for more details.
\nBlocking User Access: The account is blocked immediately for further login attempts once specific risk criteria have been met. The consumer needs to contact the company to unblock the access.
\nSecurity Questions: This forces the consumer to answer one or more security questions before authenticating the request.
\nPush authentication: User authentication is accomplished by delivering a push notification to a secure application on the user's device.
\nFIDO U2F tokens: FIDO U2F tokens allow users to utilise a single device to access any website or online service that supports the FIDO U2F protocol.
\nMultifactor authentication creates a longer authentication process for the consumers, which causes lower consumer conversation at your application. Adaptive Authentication only triggers an elevated-risk situation while keeping the frictionless authentication process in place for normal conditions.
\nYou can configure actions based on the severity of the risk factors like if the consumer normally logs into your system from Vancouver and they make an authentication request to access the application from Cancun, this is an elevated-risk situation and you might want to block the account instead of sending the notification to the consumer.
\nAdaptive Authentication is evolving as Machine learning can add more risk factors by studying consumer behavior over the period. Hence, it provides an updated layer of security against fraudulent attempts.
\nAdaptive authentication is getting popular as it provides frictionless authentication for consumers while preventing fraudulent attempts to access the system.
\nLoginRadius provides Adaptive Authentication to its customers to assist their businesses. Please see Risk-Based Authentication Document for more information on the LoginRadius Adaptive Authentication.
\n","frontmatter":{"date":"March 09, 2021","updated_date":null,"description":"Adaptive Authentication intelligently identifies malicious attempt based on the defined risk factors and prompt the consumers to complete an additional step to verify their identities","title":"What is Adaptive Authentication or Risk-based Authentication?","tags":["Adaptive Authentication","Risk-based Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.550387596899225,"src":"/static/cb091325d11a0ecb1aba62586a057ef8/14b42/adaptive-authentication.jpg","srcSet":"/static/cb091325d11a0ecb1aba62586a057ef8/f836f/adaptive-authentication.jpg 200w,\n/static/cb091325d11a0ecb1aba62586a057ef8/2244e/adaptive-authentication.jpg 400w,\n/static/cb091325d11a0ecb1aba62586a057ef8/14b42/adaptive-authentication.jpg 800w,\n/static/cb091325d11a0ecb1aba62586a057ef8/d7a38/adaptive-authentication.jpg 1071w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Jitender Agarwal","github":null,"avatar":null}}}},{"node":{"excerpt":"In the whole software development process, QA testing has a unique space. QA is responsible for ensuring that developed software is bug-free…","fields":{"slug":"/engineering/challenges-faced-by-qa/"},"html":"In the whole software development process, QA testing has a unique space. QA is responsible for ensuring that developed software is bug-free and works concerning technical and business requirements.
\nQA engineers must have a good understanding of each project and what it means to accomplish. They must deliver quality software to the clients.
\nGiven the responsibility of a QA's job, it is natural to face many challenges in their day-to-day tasks. This article will help to understand the most common of those challenges faced by any QA.
\nUsually, QA teams face unstable environment setup issues that we need to prepare for most of what we have. Sometimes the server gets stuck due to overload and requires a restart many times during testing etc.
\nEscalate these issues to the seniors and make sure you get the environment ready for the testing.
\nNow and then, we realize that a tool is not the right choice for the project. We do not have any other option but to keep using it because the clients/organization already have licenses and would not go for a new one until the current license expires.
\nIt is not fun, but you learn alternate options. Or at least, one can conclude with regards to if the possibilities work.
\nThe biggest challenge QA is to receive requests for last-minute testing. The primary reasons for such demands are that the development process takes more time than expected and the time for testing is underestimated. Generally, testing and debugging take 50% of the development time. When QA has a short time frame for verification, they should check software against the main business specifications. Software testing should begin at least three days of release.
\nIn the case of QA, it's faster to create a document from scratch than to use the one created by others. Using test cases created by others increases the time of verification and puts limits as far as discovering bugs.
\nEverybody thinks of the successful releases of new features or products, but the reality could be different. From our testing experience, the software doesn't typically release from the first time in most cases. The best time for releasing the software is the start of the week. Thus it gives development and QA teams the rest of the week to manage with whatever comes up.
\nWhile trying to make an accurate estimate, some software estimations could be entirely unpredictable and go wrong. As developers, QA also doesn't have 100% security from unexpected issues.
\nDevelopers and QA engineers should work closely. Testing should be done once part of the development process is done, and after that, bug fixing activity should start. QA submit a test report and only after that debugging begins.
\nIt is slightly common to change project requirements mid-sprint in agile development projects. While this can be frustrating for the team and due to that testers can be affected. They may need to re-try the whole extent of testing since even the littlest changes to a codebase should be gone through various tests to guarantee its steadiness and similarity with existing code.
\nNaturally, last-minute changes in the requirement can be difficult for testers to deal with, especially if there are tight deadlines to deliver results.
\nProfessional differences between development and testing teams are still common. Developers think that testing is a final process of the software development life cycle, and testers do not require anything apart from a list of user journeys and technical requirements.
\nHowever, testers may have difficulty identifying flaws in the code if they are not acquainted with the development process. If they do not understand how the software works, they will have trouble creating test cases to find all possible bugs.
\nResolving the challenges mentioned above will not only make the lives of QA testers much easier. Still, it will also streamline the software development process to make it more useful and time-efficient. By making it easy for QAs to do their job well, organizations can ensure that their products meet all business requirements and function in the best possible way.
\n","frontmatter":{"date":"March 05, 2021","updated_date":null,"description":"Software testing is a difficult task in and of itself. Top 9 QA challenges that any tester in the software testing industry would face are discussed in clear terms here.","title":"Top 9 Challenges Faced by Every QA","tags":["QA","Processes","Testing"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.9047619047619047,"src":"/static/db8a52fc54f8db8b8c3c7c58719160a3/ee604/testing-challenges.png","srcSet":"/static/db8a52fc54f8db8b8c3c7c58719160a3/69585/testing-challenges.png 200w,\n/static/db8a52fc54f8db8b8c3c7c58719160a3/497c6/testing-challenges.png 400w,\n/static/db8a52fc54f8db8b8c3c7c58719160a3/ee604/testing-challenges.png 800w,\n/static/db8a52fc54f8db8b8c3c7c58719160a3/f3583/testing-challenges.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Neha Vyas","github":"nehavyasqa","avatar":null}}}},{"node":{"excerpt":"Serverless computing has been gaining a lot of popularity in the last couple of years, and for a good reason. It saves developer's time…","fields":{"slug":"/engineering/serverless-overview/"},"html":"Serverless computing has been gaining a lot of popularity in the last couple of years, and for a good reason. It saves developer's time, allowing them to focus on writing code rather than dealing with infrastructure. Deploying powerful and scalable applications has generally become much quicker and easier with serverless. However, there can be drawbacks as well, such as vendor lock-in and lack of control.
\nThis blog will briefly go over some of the most popular serverless computing options from major cloud providers. There are also plenty of great resources online explaining serverless architecture in detail, so definitely go check those out if you haven't already. Now, let's go over some of the popular choices for serverless computing.
\nAlmost all major cloud providers offer serverless computing such as AWS, Azure, Google Cloud, IBM Cloud, Alibaba Cloud, etc. In this blog, we'll only be going over a few.
\nAWS Lambda was released in 2014 and has played a significant role in the rise of serverless computing.
\nRecent notable updates include:
\nLaunched in 2016:
\nRecent notable updates include:
\nLaunched in 2017:
\nRecent notable updates include:
\n\nLaunched in 2017:
\nRecent notable updates include:
\nThere are a lot of great options worth considering when looking for serverless computing from a cloud provider. This was a very brief introduction to some of the most popular choices, so definitely check out each provider's official documentation for more detail!
\n","frontmatter":{"date":"March 04, 2021","updated_date":null,"description":"Traditional software development is being transformed by serverless computing. Check out the best serveless computing platforms that will assist you in getting started.","title":"Top 4 Serverless Computing Platforms in 2021","tags":["Serverless"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/5c35cac6bac6aa7487ccce9ebb7d8d94/ee604/cover.png","srcSet":"/static/5c35cac6bac6aa7487ccce9ebb7d8d94/69585/cover.png 200w,\n/static/5c35cac6bac6aa7487ccce9ebb7d8d94/497c6/cover.png 400w,\n/static/5c35cac6bac6aa7487ccce9ebb7d8d94/ee604/cover.png 800w,\n/static/5c35cac6bac6aa7487ccce9ebb7d8d94/f3583/cover.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Andy Yeung","github":null,"avatar":null}}}},{"node":{"excerpt":"Being a Quality Analyst, it's our responsibility to run test cycles on the system and push releases every two weeks to ensure the system is…","fields":{"slug":"/engineering/qa-teams-deliver-quality-software/"},"html":"Being a Quality Analyst, it's our responsibility to run test cycles on the system and push releases every two weeks to ensure the system is updated with the latest fixes and everything is bug free on the live platform. Usually, every release includes amendments as well as fixes done. If we talk about the resources, the team typically has 8-10 resources, including developers and the QA team.
\nTherefore, we should always be proactive about every release and avoid any stress during the release. Everything has to be managed properly when it comes to execution from the development end or testing from the QA end. For that purpose, we have to follow proper strategies to ensure that everything is getting tested and the release we approve met the expected quality standards.
\nWe have penetrated limits in two ways. In this day and age, we are a client confronting unit, as we get with our clients straightforwardly about their issues which they experience over the software or what are the highlights which they need to join on the stage. Also, we are actively participating in the design discussions or any inputs required from our end, which we receive from the client's end, to make sure we are going in the right direction as per the client's vision. Our testing experience always helps detect any flaw or defects before doing any coding work, which reduces additional efforts and minimizes the work. This way, we can ensure everything is done based on the client's given timeline and a quality outcome.
\nAs it's impractical to test everything each time at whatever point you push any delivery. For that reason, you need to focus on the piece of code that has been chipped away. This way, you can test the primary work component without postponing things and afterward run a total test cycle to ensure no other part has been clashed by the changes. For this reason, there is a new delivery check with the group of what piece of code has been refreshed and what are the results, and generally center around that part to run tests. This way, you can focus on the work and endeavors which should be put.
\nWe center around those pieces of the code and utilize existing computerization tests to deal with different parts. If you realize something worked in the final delivery and you're not contacting it in this delivery, at that point, you don't have to invest an excessive amount of time in testing. So base your delivery standards on the new code that is being added.
\nQA has to make sure that whatever work needs to be done is appropriately prioritized. For example, if particular area of a platform is not affecting things much and can be taken care at later stage then it should be on the lowest priority; If less than one percent of our users are on a particular browser, issues specific to that browser stand out enough to be noticed. And the area which is affecting the whole system should be done on the very first priority. There should be priorities defined like – Blocker, Emergency, Highest, High, Normal, and Low! So always work as per the critical attention on a specific feature and consider the target user demands. What is their feedback or issues to which they want to have access? If something moved beyond clients and we find bugs, we need to fix them in the following release.
\nYou will often hear from the development team that, \"…. It works fine with me; there must be some network issue or system issue on your end\". We have to make sure not to have such conflicts in between because, in the end, our goal has to be – Delivering bug free solution!
\nFor that purpose, Our QA and development teams run their tests in the same environment. As our builds move through the development pipeline, we should test the code under the production environment to build our staging environment to simulate our customer's production environments.
\nAlways plan to arrange a dedicated performance team who can run tests as soon as a product is steady and tell the team about new versions and requirements to evaluate the performance risks.
\nTo update performance teams with all the latest information and provide them with an environment close to production as you can. To make sure that there shouldn't be any gaps between and can appropriately test the product.
\nQA team runs regression tests in the last phase of the product cycle, and it is that process that confirms the product delivery. If any of the regression tests fail, QA informs the managers/stakeholders so that appropriate actions can be taken for further release as it's never acceptable to deliver the product if any of the tests fail, which might end up in more significant problems for the team as well as the client. So the QA team always makes sure to run regression tests to verify everything properly.\nWe additionally automate our regression cycle, so it just requires a couple of days to run.
\nAs we maintain customer data in our database collections, we need to guarantee that it should remain attuned with any new versions that have been released or about to release. Whenever we release a new version, we run several updates to check that no data was harmed, and in case we find any data-corrupting bugs, those become our highest priority. We also perform manual backward compatibility testing while taking steps towards finding an automated and more efficient approach. Nonetheless, it would be best to do some manual testing, as this is one of the last stages before production.
\nWe perform post-release sanity tests on our production account to authorize that everything works as projected, including all third-party systems. We initially perform tests utilizing our existing production account but then create a new account to check that the process will continue to work correctly as new customers register.
\nThe best testing practices should inculcate all other processes in general and risk management processes in particular in them. The focus should be to improve the software's overall quality while aiming to reduce the cost with continuous monitoring during and after the software release. While doing quality assurance testing, the tester should comply with all the fundamental principles and industry practices and look at the product from the end user's perspective.
\n","frontmatter":{"date":"March 01, 2021","updated_date":null,"description":"A comprehensive overview of the QA testing process is given. Learn what it takes to get top-notch testing facilities.","title":"QA Testing Process: How to Deliver Quality Software","tags":["QA","Processes","Testing"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/5fe40fa61d401b955af6527da8353680/2a4de/software-testing.png","srcSet":"/static/5fe40fa61d401b955af6527da8353680/69585/software-testing.png 200w,\n/static/5fe40fa61d401b955af6527da8353680/497c6/software-testing.png 400w,\n/static/5fe40fa61d401b955af6527da8353680/2a4de/software-testing.png 600w","sizes":"(max-width: 600px) 100vw, 600px"}}},"author":{"id":"Neha Vyas","github":"nehavyasqa","avatar":null}}}}]},"markdownRemark":{"excerpt":"Google has prepared a roadmap to restrict third-party cookies in Chrome. Since 04 January 2024, Chrome has rolled out third-party cookie…","fields":{"slug":"/engineering/identity-impact-of-google-chrome-thirdparty-cookie-restrictions/"},"html":"Google has prepared a roadmap to restrict third-party cookies in Chrome. Since 04 January 2024, Chrome has rolled out third-party cookie restrictions for 1% of stable clients and 20% of Canary, Dev, and Beta clients.
\nWhat does it mean for user authentication?
\nOn one hand, Google believes third-party cookies are widely used for cross-site tracking, greatly affecting user privacy. Hence, Google wants to phase out (or restrict) supporting third-party cookies in Chrome by early Q2 2025 (subject to regulatory processes).
\nOn the other hand, Google introduced Privacy Sandbox to support the use cases (other than cross-site tracking and advertising) previously implemented using third-party cookies.
\nIn this article, we’ll discuss:
\nThird-party cookie restrictions affect user authentication in three ways, as follows.
\nIf your website or app uses an external Identity Provider (IdP) — like LoginRadius, the IdP sets a third-party cookie when the user authenticates on your app.
\nIf you have multiple apps across domains within your organization and authentication is handled using an IdP (internal or external) with web SSO, you already use third-party cookies to facilitate seamless access for each user using a single set of credentials.
\nIf you have implemented web SSO with one primary domain and multiple sub-domains of the primary domain, third-party cookie restrictions may not apply. For now, Google doesn’t consider the cookies set by sub-domains as third-party cookies, although this stance may change in the future.
\nFor example, you have apps at example.com, travel.example.com, stay.example.com, and web SSO is handled by auth.example.com. In this case, third-party cookie restrictions don’t apply.
Federated SSO is similar to, albeit different from, web SSO. It can handle multiple IdPs and applications—aka., Service Providers (SPs)—spanning multiple organizations. It can also implement authentication scenarios that are usually implemented through web SSO.
\nUsually, authentication is handled on a separate pop-up or page when the user wants to authenticate rather than on the application or website a user visits.
\nFor example, you already use federated SSO if you facilitate authentication for a set of apps through multiple social identity providers as well as traditional usernames and passwords.
\n\n\nNote: It is also possible to store tokens locally, not within cookies. In this case, third-party cookie restrictions won’t affect token-based authentication. However, the restrictions still affect authentication where tokens are stored within third-party cookies (a common and secure method).
\n
Google has been developing alternative features and capabilities for Chrome to replace third-party cookies as part of its Privacy Sandbox for Web initiative.
\nSpecific to authentication, Google recommends the following:
\nCHIPS are a restricted way of setting third-party cookies on a top-level site without making them accessible on other top-level sites. Thus, they limit cross-site tracking and enable specific cross-site functionalities, such as maps, chat, and payment embeds.
\nFor example, a user visits a.com with a map embed from map-example.com, which can set a partitioned cookie that is only accessible on a.com.
If the user visits b.com with a map embed from map-example.com, it cannot access the partitioned cookie set on a.com. It has to create a separate partitioned cookie specific to b.com, thus blocking cross-site tracking yet allowing limited cross-site functionality.
You should specifically opt for partitioned cookies (CHIPS), which are set with partitioned and secure cookie attributes.
\nIf you’re using an external identity provider for your application, CHIPS is a good option to supplant third-party cookie restrictions.
\nHowever, CHIPS may not be ideal if you have a web SSO or federated SSO implementation. It creates separate partitioned cookies for each application with a separate domain, which can increase complexity and create compatibility issues.
\nWith Storage Access API, you can access the local storage in a third-party context through iframes, similar to when users visit it as a top-level site in a first-party context. That is, it gives access to unpartitioned cookies and storage.
\nStorage Access API requires explicit user approval to grant access, similar to locations, camera, and microphone permissions. If the user denies access, unpartitioned cookies and storage won’t be accessible in a third-party context.
\nIt is most suitable when loading cross-site resources and interactions, such as:
\nVerifying user sessions when allowing interactions on an embedded social post or providing personalization for an embedded video.\nEmbedded documents requiring user verification status to be accessible.
\nAs it requires explicit user approval, it is advisable to use Storage Access API when you can’t implement an identity use case with the other options.
\nWith Related Website Sets, you can declare a primary website and associatedSites for limited purposes to grant third-party cookie access and local storage for a limited number of sites.
Chrome automatically recognizes related website sets declared, accepted, and maintained in this open-source GitHub repository: Related Website Sets
\nIt provides access through Storage Access API directly without prompting for user approval, but only after the user interacts with the relevant iframe.
\nIt is important to declare a limited number of domains in related website sets that are meaningful and used for specific purposes. Google may block or suspend any exploitative use of this feature.
\nThe top-level site can also request approval for specific cross-site resources and scripts to Storage Access API using resuestStorageAccessFor() API.
If you’re using an external identity provider for your web application, you can declare the domain of the identity provider in the related set to ensure limited third-party cookies and storage access to the identity provider, thus ensuring seamless user authentication.
\nRelated Website Sets can also work to supplement third-party cookie restrictions in web SSO and federated SSO if the number of web applications (or domains) is limited.
\nFedCM API enables federated SSO without third-party cookies.
\nWith FedCM API, a user follows these steps for authentication:
\nYou can access a user demo of FedCM here: FedCM.
\nFor more information about implementing federated SSO with FedCM API, go through the FedCM developer guide.
\nFirstly, we’re committed to solving our customers' user identity pain points — and preparing for the third-party cookies phase-out is no different.
\nWe’ll implement the most relevant and widely useful solutions to facilitate a smooth transition for our customers.
\nPlease subscribe to our blog for more information. We’ll update you on how we help with the third-party cookie phase-out.
\nThe proposed changes to phase out third-party cookies and suggested alternatives are evolving as Google has been actively collaborating and discussing changes with the border community.
\nMoreover, browsers like Firefox, Safari, and Edge may approach restricting third-party cookies differently than Google does.
\nFrom LoginRadius, we’ll keep you updated on what we’re doing as a leading Customer Identity and Access Management (CIAM) vendor to prepare for the third-party cookie phase-out.
\nTop-level site: It is the primary site a user has visited.
\nFirst-party cookie: A cookie set by the top-level site.
\nThird-party cookie: A cookie set by a domain other than the top-level site. For example, let’s assume that a user has visited a.com, which might use an embed from loginradius.com to facilitate authentication. If loginradius.com sets a cookie when the user visits a.com, it is called a third-party cookie as the user hasn’t directly visited loginradius.com.