If Google decides to lock your account for any reason, all your third party accounts using Google's SSO are mostly fubar, as it's currently almost impossible to get your Google account back.
If you use SSO with the account you were going to use your e-mail address with, it makes little difference whether you used OAuth2 vs traditional e-mail based authentication. You're locked out.
If something happens, like OAuth2 stops working, most websites allow password reset to the e-mail address connected to the account, and then can log-in without OAuth2.
The concern here is probably related to some Log-in with Google scripts that run on the frontend, although if they were just using normal OAuth2, then I think they are wasting their time: whatever sensitive information Google gets via OAuth2 they also get via the unencrypted e-mails you're sending to them anyways...
No. It makes a massive difference. Even if you're locked out from your email account, you can still login no problem to any website using your username/email and password.
Yes, to be fair, that's still a marginal improvement, assuming you aren't forced to validate your email address at any point, which might be the case for lower security stuff. On the other hand, either way, you can often use an existing session to do the same thing without needing to reauthenticate.
I use a custom domain and forward all mail to a web based email provider for this reason. If my provider drops me, I can move to another and update my forwarding. There’s still a risk I could lose the domain somehow, but I don’t hear about that happening nearly as often.
I do this as well. I encourage people to own their own domain and use that for email; it is more complex to set up, but you have far more control long term.
I do this as well but with anonaddy.com which acts more like a proxy than forwarding. The yearly price is low (something like $12) to use your own domain and much lower than paid email plans.
If you wanna gamble on this solution, that's definitely your prerogative. I think it's unreasonable to assume that any function of your account will continue to work if it becomes locked, inaccessible, or possibly compromised. A better backup is a custom domain. Which, of course, is not really great with Gmail.
Arguably if you can prove to the provider that the email is FUBAR and you own the account, it might be easier for them to change out the email on you. Maybe a good reason to support login via email and / or phone number. If you lose both, you're screwed.
F-ing Google locked me out of my account and my email because I broke my cell, and then traded it in for a new one but Google kept sending the verification to my broken cell. There's no one to call for assistance!
That sucks and this is something Google needs to fix, but for everyone else: make sure to get backup codes for your Google Account and place them in a password manager.
Make sure to get backup codes for your MFA-protected accounts, and then keep them out of your password manager at all costs. Print them out on paper and store them in a fire-safe location, preferably one copy off-site.
Email accounts from big providers need some safe-guard legislation (a bit like FDIC for banks), given how much every other service wants your email address. Even my power utility wants my email address.
It is made abundantly clear when you set up 2FA that you need to backup your 2FA or it may not be possible to recover. What did you expect? Personal responsibility is important.
Yes and what I’m saying is that is not an okay solution. If you lost absolutely all your proof of ID and bank cards, there is still ways to sufficiently prove your identity and recover access to your assets and bank accounts. An email address is an asset.
That is just your opinion. Those "ways to sufficiently prove your identity" are also ways that identity theft happen every single day. Some people prefer to take personal responsibility over opening themselves up to compromise.
In any case, if you thought that is not acceptable to you, you should not have set up 2FA because the conditions were clearly communicated.
It’s not possible to completely disable 2FA with paid Google domain accounts either. I’ve explicitly turned off 2FA for my paid Google account and it continues to ask me to type a text code or YouTube code.
Crazy how you can’t even pay to get rid of these “lose your phone lose account forever” features.
My mother had an account inaccessible as the mfa backup workflow did not work, my email was the second factor but it refused any codes I provided. I assume this is a functional bug but google has no inbound communications so I could never resolve it. My mum ended up requesting her old number from a phone provider who obliged.
The world will be a better place when legislation requires these evilcorps to at least have some baseline responsibilities to the people who they are supposedly helping while making trillions in revenue.
This website does not have any information about owners or legal entity behind it. Who is running this? What is their physical address? Where are they registered?
Honest question: how do I know and verify they really care about privacy and they are not one doing shady things?
This is really honest question.
How can anybody trust that company x care about privacy without even know anything about company x?
When it comes to SaaSes, absolutely nothing. It's all social. Even knowing the owners doesn't give you much more assurance that it's legit, unless they're very well known.
That said, most liars are really really bad at lying. "We care about your privacy! Now let us load 1000 tracking libraries, kthxbai" is pretty easy to spot.
I think the scarier case is when dealing with a government adversary. They're simply not as stupid, and you never know when it could happen: https://archive.ph/rI8mE
For those cases, I get unnerved when things seem too good to be true. If I didn't know former Mullvad employee(s), I'd be deeply concerned about them, too.
It is not about liar. The owner of the web site is probably nice and all these things. Some social proof (LinkedIn, address etc) is really needed. I always check LinkedIn’s to see where that person worked, what does it do, etc. Not a good test but it is better than nothing.
But on the other hand, the owner can be NK. Or what if it gets taken over by NK? Or what if somebody starts claiming that they were running this business and it was hijacked?
I mean, "government in general" is kind of meaningless, some governments are much more of a threat to some people than others.
Also, while your example is great (and I think I have seen it predicted !), criminal organizations aren't "most" nor "people" (more like businesses ?).
> We specialize in custom software projects above and beyond the typical web agency: realtime interactive experiences, high-concurrency backends, and everything in between.
Appears to be a husband-and-wife team whose personal projects include tech to support their permaculture lifestyle, but whose portfolio appears to be mostly brand related.
Took about five minutes of reading, but I know that's not the point you're trying to make, you just don't want to say Slimvoice is an unprofessionally run service.
But what about the privacy of the people not using google at all. All other trackers are (or should) be blocked by my adblocker, but my adblocker can't block the google sign-in button because some people use that. So another way to defeat anti-tracking software.
Plus those google sign-in buttons have recently become extra-obnoxious, opening a modal window over every page I visit to invite me to sign-in with google. This is really back to the 90s!
Not just Google themselves, I still use my old university email and they decided recently ("for security") to block using it to log in to other sites, along with a million other things, so their own staff can't even open Search Console. Fortunately, a lot of them allow "forgot my password" to go to email if you can't login through Google, but a few required new accounts.
This is true for most email addresses as well. If you use a domain name for your email that is owned by another company, then you you can be locked out of your email (and any downstream accounts).
I work in tech and 99% of my contacts are with @gmail (or some other free email host).
Most sites that require an email for sign-up only verify the email address once right after sign-up.
So if Google ever locks my account, my other website passwords continue to work, while SSO using Google is instantly broken.
Of course I won't be able anymore to reset my third party passwords through my Gmail mailbox, but many sites allow to change the email address if you know the password...
I judge the likelihood of this happening rather low and, anyway, considering how many services don't let you change your e-mail address, what's the difference?
Well, only if the person has 2FA set up in their Google account, which most people don't in my experience.
That aside, do you have a recommendation for auth that provides good privacy while also having wide adoption and ease of integration similar to Google or Facebook auth? And also 2FA of course.
If there are no options then I think our problem is bigger than this particular dev's ideology.
It's not that difficult to roll your own secure auth, this website is halfway there. Add TOTP and Webauthn and they're basically done (there's plenty of good libraries out there for both).
They also really should switch from bcrypt to something more modern like argon2, but bcrypt is a lot better than the unsalted MD5 I've seen in a lot of places.
Factor #1 - Thing you have: encrypted password vault.
Factor #2 - Thing you know: password to said vault.
Of course, this is only 2FA from the user's perspective. Meddling websites cannot ensure that you didn't memorize their password, or write it down unencrypted.
I think the GP was implying that the vault would store a random string, which would be unreasonable for anyone to possibly guess. This isn't either of the factors - just a proof you had both of them.
The 2 factors are then the vault itself and the vaults password.
It should be noted, though, this is significantly weaker than "real" 2FA, as normally that would involve some sort of challenge, rather than just storing a hard secret.
That's exactly my impression too. Authentication is hard. And this isn't some random site wanting to store user data, they're doing invoice management! (So... not quite handling money on behalf of users, but pretty darn close in terms of liability.)
Regardless of your feelings on Big Tech and Privacy and whatnot, this absolutely looks like a security downgrade to me. If I were someone looking for para-financial services like this to phish with fake users for fraud purposes, I'd probably start with a site like Slimvoice.
Personally I think there's a good argument to be made about the benefits and tradeoffs to allowing giant cloud companies to control the idea of "identity" on the internet. But if there's any market segment where big companies with deep pockets and extensive technical resources bring value, it's this one.
The part where you guarantee to your users that the person you authenticated is who they seem to be. In this particular example: "Is this invoice I'm about to pay for the service I purchased, or is it fraud?"
Farming that responsibility off to Google or Facebook and letting them handle the edge cases (for free, I might add) has genuine security value.
It takes all of 30 seconds to sign up an account and check. I was not offered 2FA during sign up, and cannot find anywhere on the site to enable it after logging in. If you don't believe me or think that I somehow missed it, feel free to create your own account and test.
And your can clearly see from the "Code" section in the same page as the privacy policy that this is only ideological and that this guy just likes to push his bad practices on others.
That’s hardly the only information Google gets from managing logins. Trivially they can get time stamps for actual logins, that could be very valuable information for stock brokers for example.
Thanks for the link. I read it and I too desire for minimal/javascript-less world. However,
> The Checkbox/Label Trick
I'm hesitant to use this. It just doesn't feel right to use this hack.
Also somewhat related to the <details>/<summary>, I try using native html elements as much as possible. One time I used the <meter> element for a meter bar, but it was called out immediately by QA because the design doesn't match the one created by the UI/UX team. I really wish html elements were more customizable.
Never use Google anything for --including login-- for anything important. The company continues to cause damage to people and businesses through their customer-no-service stance regarding accounts, their suspension or cancellation. I know people who's small businesses suffered a great deal of damage because of this. Talk about a need for a congressional hearing!
Besides, single sign-on is a security disaster. In an ideal world every single login you have should have a different user ID and password. I do my best to approach this. Of course, you have to rely on password management software to be able to do this.
There is no such thing as absolute security. However, making every login ID and pwd different goes a long way towards ensuring you don't experience a chain reaction of breaches because someone hacked into one account.
Yes, the password manager could be considered to be the weak point then. Encryption and a long and secure password are the keys there. And, if you can, one that is accessible online.
Couldn't disagree more. Password managers have the same single point of failure that an SSO would. The only difference is that you can't automate onboarding/offboarding of an employee's SaAS applications.
If the goal is protecting users from themselves, the owner should go the extra mile and reject signups with @gmail/@outlook emails, to gently encourage them not use services that don't value their privacy.
I left google. After half a year I have received dmarc reports from a site other than google just once. So did it matter if 99% of people I email are still using google? They have every email I have sent anyway.
You might want to check out https://solokeys.com/ then. They're pretty new (shipping for about a year) but they do full FOSS firmware & software as well as most hardware being FOSS as well.
I have a couple of these and they work well. Unfortunately it seems like most sites that I use (with a few notable exceptions) don't bother to support hardware tokens for 2FA, I suspect because of the ubiquity of phone-based methods.
If you want something now and don't mind a virtual FIDO device, you could try out my solution Bulwark Passkey (https://bulwark.id). It's open source and allows you to export your credentials, so it's pretty user-freedom friendly.
"When you open Gmail, you'll see ads that were selected to show you the most useful and relevant ads. The process of selecting and showing personalized ads in Gmail is fully automated. These ads are shown to you based on your online activity while you're signed into Google. We will not scan or read your Gmail messages to show you ads."
Also assuming it was true, if you deny people the Google Sign-in they will simply use their Gmail address next, so you'd have actually increased usage of the service. Brilliantly thought out strategy.
This website does not have any information about owners or legal entity behind it. Who is running this? What is their physical address? Where are they registered?
Meaning they are managing invoices: the above informantion is very important.
This seems more like Google ban them than they did something about “privacy”.
This should be listed in about page and privacy page. Note that GDPR requires physical address also to be listed on privacy page: but I guess they do not care about that stupid GDPR privacy thing.
That is not my point. My point is that you can not (and you must not) just blindly trust random entities claiming “I’m about privacy” without being transparent who they are, where they are from and all these company informations required by GDPR or California privacy protection laws.
This post gives me an opportunity to ask a question. What if I am locked out of my gmail id? Would I be able to use services, such as Github or Pocket, which I log in through gmail id?
Passkeys becoming prevalent makes dropping BigTech SSO for personal use more palatable.
Google will still store and sync the keys for users of Android and Chrome, but their code won’t run on sites who opt out of Login with Google. It’s an evolution of the security model. This is arguably superior considering the ability to migrate passkeys elsewhere. You have improved sovereignty over your auth story (versus “haha google locked you out of everything and you have no recourse”).
I use a hardware security token to log into my Google account and then use that to log in to several other services. If I were to lose my token, I would still have my backup tokens, and could update this account to use a new token and unenroll the old token.
If instead, every site I had ever logged into kept track of my tokens I would need to visit each of them and do the same thing.
(It's already messier than that because some accounts I have--GitHub and Facebook--don't accept SSO but are important enough to be worth protecting with hardware tokens. But I don't want to go farther in this direction!)
We’re not talking a loss of a hardware authenticator, we’re talking the loss of access to your Google account. Worst case with passkeys is you lose access to the cloud corpus of your keys due to loss of account access while still having them on your device (and/or a passkey manager).
* Securing hardware authenticators is much more within our control than the whims of Google are.
* Most of us aren't ex-Googlers with contacts and reach (which are the only way to get reliable support when one's account does get borked), so that side of the risk is also much higher for normal people than for you.
I read through the links, and there were about 15 posts where people got locked out of their Google account over a 12-year period. Many of these are links to articles on other sites not written by the submitter, but we'll count them anyway. So that's ~1 per year.
According to dang, there are ~100k monthly active logged-in HN users [1]. In a population that size of 25-54 year-old Americans, you'd expect around 290 to die each year [2].
Getting locked out of my Google account is pretty low on my list of things to worry about.
On the other hand, if the yearly amount is so small, a service (a single dedicated human) to fix/reset/correct those issues should be affordable by Google.
This is not specific about Google, a lot of services/apps/whatever like (and it is probably true) to state how they are in practice error-free, at least with account management, yet when this extremely rare event happens there are no (or extremely complex) ways to fix the problem, short of posting to HN or to a social and hope that some good soul working at that company notices the issue and decides to solve it.
If you look through those they are almost all about people forgetting their password or losing whatever they are using for 2FA: that is exactly what I'm worried about!
In my particular case, I am happy with my 2FA setup for Google (three security keys, across multiple locations) so I think that category of lockout is pretty unlikely.
And I've already lost my keys once in my life, about 20 years ago.
What I'm advocating for above is that people get multiple hardware tokens, and keep them in separate safe places. What Doreen is running into is that if you use your phone as your only second factor you have a problem if your phone stops working. I don't see how these are in tension?
I think our expectations are simply out of alignment. What you're advocating for is unreasonable if a loss of hardware tokens means a permanent loss of account access with no recourse, and I don't think that's a hard case to make to legislators and regulators.
What resource can Doreen go to at Google to get access to their accounts if Google’s security algorithm is requiring access to devices or authenticators they no longer have? I’m trying to be reasonable, but all I see is a tech company who enforces strong security practices with no exception handling. Great for Google and keeping costs down from an infosec and customer service perspective, but highly detrimental to those who lose what is very valuable to them (their emails and digital identity), and humans will lose valuable items (including devices, authenticators, and recovery codes) all the time.
I don’t expect for us to solve this here, and I’m sure my perspective will differ substantially from those affiliated with Google or tech professionals in general (who don’t fully internalize the layman’s experience). I do believe I’ve provided sufficient evidence this is a real problem, and it’s likely going to require federal statute or FTC guidance to require tech companies to recalibrate their customer service and infosec ops around access and identity.
Regardless, I appreciate the discourse on this topic.
For passkeys, I think allowing users to migrate their credentials wherever they want is key. I know Google/Apple/etc are working on a potential solution for that, but I think third-party solutions would be best from an "incentive alignment" perspective (Google and Apple don't want you moving away from their ecosystem).
As an aside, I would like to plug my own passkey solution, Bulwark Passkey (https://bulwark.id) which is open source and allows credential exports. Whatever passkey solutions people end up using, managing credentials is going to be the key challenge (pun intended).
> Encouraging worse security practices (dumping SSO for password logins) for an ideological goal that helps no one's privacy.
It hardly seems reasonable or rational to attack the mere thought of handing out all auth responsibilities to a shady monopoly with a track record of dubious practices and government tie-ins for being "an ideological goal that helps no one's privacy".
The pervasiveness of any Google code running on webpages across the net has been a danger to everyone's privacy. I think this is a worthwhile tradeoff though I'm sure many like you will disagree.
I don't see why the page would be the one deciding that tradeoff for user. As long as you can pick plain old user/password there is no ham offering other options
* There is nothing wrong with password logins if they are used properly.
* Google does not have a good track record of customer service, not putting all your eggs in their unreliable basket seems like a good idea from a security point of view.
* The privacy argument is a bit of a hot take in this case, and is probably not as valid as a reason to dump Google SSO as eggs-in-unreliable-basket argument.
Password logins are 1-factor, while password logins that use phone verification are 2-factor. In what cases does the security from 1-factor exceed the security from 2-factors?
Phone verification is 1-factor in most implementations on every popular website. It's just that the factor is now your phone, and your password can be changed with your phone number. Your password might as well not exist. The problem with phone verification is that phones are less secure than passwords. This isn't even a 1 factor vs 2 factor discussion. Again, Phone verification is 1 factor.
To be more specific, if the implementation of 2 factors requires both factors, then it is indeed more secure. If it's a form of 2 factor that requires only one factor, it's less secure, because now you have more attack surface.
> In what cases does the security from 1-factor exceed the security from 2-factors?
1. If you consider the loss of a phone number to be a more likely event than a forgotten password (non-obvious example - if you have no extra money to keep the phone number working).
2. If some powerful contractors can capture the data coming to your phone.
3. Also, if there is some kind of banhammer (Google is famous for banning for no reason) in the "2-factor" and no banhammer in the 1-factor (Bitcoin has no third-parties who might steal or freeze your funds), then your chance of encountering a banhammer in your face is infinitely greater in the first case.
More than 1 factor creates more problems than usefullness tbh if you are enough responsible for never lose your credentials.
> 1. If you consider the loss of a phone number to be a more likely event than a forgotten password (non-obvious example - if you have no extra money to keep the phone number working).
That's silly. If you lost your phone number, why would you attempt to log into a service and have it text or call your lost phone number? The provider in question here (along with many others), Google, provides backup codes for this situation. Besides, if you are more likely to constantly lose phone numbers, it's best not to use those for authentication/authorization.
> 2. If some powerful contractors can capture the data coming to your phone.
That doesn't matter to 2-factor. That "powerful contractor" would be in possession of a time-bound pin that can only be used by the device and account that had just had the credentials entered. It is useless to anyone else.
> 3. Also, if there is some kind of banhammer (Google is famous for banning for no reason) in the "2-factor" and no banhammer in the 1-factor (Bitcoin has no third-parties who might steal or freeze your funds), then your chance of encountering a banhammer in your face is infinitely greater in the first case.
This also doesn't apply. Google provides backup codes that can be used in such a case. As do digital ocean and others...
> More than 1 factor creates more problems than usefullness tbh if you are enough responsible for never lose your credentials.
Except that isn't true. I noticed that you placed 2-factor in quotes, showing that you likely do not understand 2-factor is formed from any two out of the three possible security factors. There is also 1.5 factor authentication, which is acceptable to put in quotes, since it is pseudo-2factor.
What you know. What you have. What you are.
> (Bitcoin has no third-parties who might steal or freeze your funds)
I'm not sure your comment was serious... Bitcoin and the entire crypto ecosystem are full of third-parties who steal or freeze funds.
That's not how OAuth works, which is what "Sign In with Google" utilizes. In order to Sign In with Google through a third-party software, Google and the third-party software must both agree to the arrangement.
In the event they do, the third-party software adds a Google Sign In flow to their software, whereas their users can press a call-to-action for signing in with Google, which would trigger an opening of a separate Google-owned domain in a new min-browser window that the third-party software cannot access (and therefore not harvest information from). This min-window then sends the user back to the third-party software domain upon completion with an authentication token - which could be in the form of a URL query string, an HTTP method, a cookie, or even collection of arbitrary browser information for fingerprinting. The third-party site then sends that authentication token back to Google via their API, and Google sends back ONLY what that authentication token is permitted to grant access to - which would not be Google credentials.
You seem like you might know why the option to pick the authentication company (like Google, but also choose your own that follows the protocol) seems to have disappeared from these boxes, and instead boxes ties to a specific company have multiplied ?
Because those companies incentivize it. For one, you can't use an Oauth integration on your app if you deploy in on the Apple App Store unless you offer Apple as an option, so there's a vector for Apple Oauth hegemony right there. And for Google, it really just makes sense for most users - it's an ethic-neutral option that you know everyone already has and uses daily. Facebook is still a popular Oauth option as well, but has lost a lot of collective conscious trust, so a lot of services don't play ball with supporting them.
It's really as easy as these companies that support Oauth incentivizing third-party devs to use them.
Yes, that's the way it works. But what's stopping a bad actor from putting up a bogus "Sign in with Google" form on their website solely to harvest credentials?
true, but that's only the case if you're currently authenticated with Google. Not true after deleting cookies and/or local storage. But more importantly, less savy tech folks might not be aware that they should not have to re-enter credentials if they have recently logged into gmail or other google owned services.
If Google decides to lock your account for any reason, all your third party accounts using Google's SSO are mostly fubar, as it's currently almost impossible to get your Google account back.