I find it to be intrusive and disturbing. Medium.com does this and I've always hated it.
Mediums usage of it actually caused me to switch, on my work computer, from always being logged into Google, to never being logged into my Google account. Now if I have to use one of my companies apps that requires a Google login, I do it incognito.
At home, I never browse while logged in, so I didn't ever notice it that much. Using my Google account for logging into a third party web application is never my first choice. I'll take separate email / passwords for everybody please and thank you.
God, Medium has the worst login experience of any site I use. What makes them think they are too clever to be usable with a password manager like the rest of the damn internet? I usually just reopen the article in an incognito tab instead of going through their stupid “send me an email!” bullshit login.
Notion.so does the same thing. You can log in with Google or get a magic link.
User/password is an inconvenient method of logging in. True. But it's so common that we have password managers making it convenient again. And supposedly better solution don't have the benefit of that tooling.
I feel the same way you do. Although I'm just a sample size of one, but I've had zero success in convincing any friends or relatives to use a password manager.
They either don't trust password managers, or don't want to change their current workflow.
They don't seem to care that using a password manger is probably a better solution then using the same password everywhere or writing all their passwords in a little black book.
I suspect that you and I aren't representative of typical users, and that Medium and Notion might actually be acting rationally, trying to act in accordance with the ways the majority of their users want the login experience to be.
> Although I'm just a sample size of one, but I've had zero success in convincing any friends or relatives to use a password manager.
> They either don't trust password managers, or don't want to change their current workflow.
I used to memorize all my passwords but now I just use my browser's 'remember password' feature. In both Firefox & Chrome it syncs between devices, and is usable on both the desktop and mobile applications. There's no extra setup required, which was the big selling point (or I would still be memorizing them) - one day I reset the browser. FF e2e encrypts it too.
The only drawback is if you need to login on a foreign device - but that's a pretty rare circumstance, and if I can't remember the password I just reset it. I generate passwords with a pattern but I am saved the hassle of typing them in, and having to remember the exceptions that differ from the usual pattern.
Firefox even offers to generate a random secure password when you are creating a new account! It's a built-in solution which provides most of the benefits of a full password manager with 0 setup or switching cost.
For every user like you who is using unique, securely generated passwords in a manager, there’s 10,000 people who are using the same, easily compromised password on every website they’re registered on.
You’re not the target audience for these features - not only are you the tiny minority, but no matter what system they give you, you’ll find a way to interact with it safely, so for that interaction you simply don’t matter.
And choosing to do this kind of login pushes blame for authentication issues away from that company, and onto the federated provider, who presumably has legions of security researchers to make sure they’re doing things safely.
Huh, new idea, Google already prompts me on my phone when I log in to Google on a new device, why isn't there a service where instead of having to open my email and find that darned Medium email, it can push a question to one of my devices (also on PC) and I can just press "Yes that was me, let me in"? It can be some third party so I don't need a different software for each site..
Isn’t that basically logging in with Google? I mean Google isn’t asking you if you logged into Medium with a push but by the time you’re doing that Google already knows it’s you and pushed you a notification to log you in initially.
Almost, but what if I'm uncomfortable with Medium having my real name and profile pic (which Google's SSO will share)?
I'd imagine Medium would offer "authentication through X", and I can either enter my id for X, or go to the X app and generate a new ID for use for Medium, and paste it on Medium. So next time I want to login to Medium, after entering my username, Medium's backend talks to X's backend (saying user with this ID wishes to login) X can prompt me on one of my devices. Medium can display a unique number on their page for me, and I can compare that to the number my X app is showing me to confirm it's me I'm letting myself in.
This is a 1 minute concept without considering creative ways it can be attacked. But I guess there wouldn't be any money to be made...
If you use Firefox, you might want to look into multi-account containers or first party isolation. Basically, you can log into Gmail in one tab without being logged into Google in all tabs.
Why can't you use CSS to collect the user's email address? Can't CSS blend modes allow you to capture anything that's rendered on the page? Or is that not possible anymore?
Looks like it's an iframe if I try by going to medium.com. I imagine getting the contents of an iframe would be a vulnerability and patched if it was a thing (I can't recall this being possible).
I think it's probably the same as it ever was. By my read this is essentially Google releasing an iframe (or whatever) version of their "allow blorbulax.com?" page with the message reworded and combined with the "yes" button.
Hate it.... I do not want a site to have access to my information before I even open an account... even if that's just some anonymized ID created for the task.
Ironically, you must sign in with a social media account( facebook / twitter ) or google / github to even use this site..... Single Sign On crap just leads to your whole life getting hacked if something happens. if I cannot setup an account with a unique email address and password, I will leave.
I've seen these before; it feels way too intrusive and out of place on the page. If I'd clicked a "sign in with Google" button, then okay fine, but a big dialog covering the corner of the page? No thanks.
Checking out that page, the traditional signup button (which is what I'd use as I'd rather not use Google login) is actually under that dialog. You can't see it until you dismiss the dialog.
I see one like this on other sites - eg Instagram. Hate it.
Don't assume I want to give you my identity.
But! Make it super easy for me to act when I decide.
These force-auth types are over-reaching and intrusive. They cause pain to the power-user and cause incidental harm to the standard-user (and maybe more)
EDIT: I misread the OP. I was under the impression that the popup came after clicking "Log in," rather than just being immediately shown on load. Ignore my comment.
Personally, I like it, and I think that from the typical user's perspective, it can probably be more convenient.
At least, it's more convenient than the classical "click a login link, which takes you to another page, try to remember your password, maybe hit I forgot and have to view your email, and then hope the site takes you back to the page you were originally on" flow. A big win is not having to leave the content you're currently viewing, which is an annoyance on mobile.
A lot of the comments on this thread strike me as cynical, and are dismissing the user experience aspect of something like this. Especially considering that the average user doesn't have a password manager (I could be wrong on this claim, I don't have a source ATM).
EDIT: I should clarify that I'm talking about the "quick sign in" pattern in general, not necessarily about any specific auth provider.
P.S. If you're trying to produce a similar flow on your site, the Credential Manager API (navigator.credentials) allows you save user credentials locally, so when they visit your site, their browser can automatically sign them in.
> It makes me feel that a miss-tap will cause me to send my details to a site
This reminds me of one time when I logged in to Chrome and misclicked on the dialog that asked whether to sync data. I very quickly went to settings and disabled sync, but I have a feeling Google got all my bookmarks and history and saved passwords.
That's what finally made me delete Chrome (I had already been using Firefox primarily but now have Falkon (WebKit-based KDE browser) instead of Chrome).
Very malicious how the option to keep your information to yourself is gated behind many opt-outs but if you accidentally opt-in once they take everything.
Given that this is a website for medical use, I'm surprised they are allowing account creation with google oauth. I'm 95% sure it's not HIPAA compliant.
https://cloud.google.com/security/compliance/hipaa/identity-... - looks like, at least for Cloud Identity (for employees accessing the internal records and databases themselves) - it's HIPPA compliant when the people implementing it do their DD. Since GSuite and Gmail logins are fairly tightly integrated, I would bet the regular auth system and oauth system for Google accounts is HIPPA-complaint.
If you are using a service like google oauth you need to sign a business associate agreement with them before using any of their services in a HIPAA compliant manner. I've searched for how to sign this contract pretty unsuccessfully.
How about: forgot what email I used for a particular website, so try and login (not register!) with one of them...oops it was the wrong one but I now have an account apparently along with welcome emails to match. I am very caution about putting an email into any login form without double checking it is the right one.
A big no no for me. Seen a couple of sites and never tried clicking. I'd rather use the 'sign in with google' button where I get to confirm rather this privacy insensitive method.
I saw this on Zillow and I tracked it down to https://github.com/openid/OpenYOLO-Web or some similar implementation of that protocol. I haven't looked into it yet but I've been intending to figure out how it works and I was surprised I haven't read about it yet anywhere.
This button allows Google to know the fact that I'm currently on this specific website. If more and more websites implement this button, Google will have access to my complete browsing history!
IMO a website must ask for a permission before displaying this button.
Facebook also has a similar button ("Continue with {my_name}") that use the same iframe method.
Well FB (and Twitter) already have "Like this page" or "Tweet about this" embeds, and those allow them to track you across the Internet (or at least on sites with those buttons).
hhm, how did they do that? I thought the google oauth flow required that it redirect to a google page (and show the info/permission the oauth flow is asking for).
Unless there's a security leak somewhere in cookies, which exposed your email address to this site (which doesn't belong to google i presume).
The first time this happened to me, I instinctively clicked to login thinking Chrome was trying to log me into Gmail or my Google Account. I didn’t realize I was giving info to some random site, I was just trying to swat away a popup.
In the other hand, as a conscious consumer, I absolutely hate giving even more information to Google.
It would be cool to have an open source, non-profit organization to work as an universally accepted authentication provider platform. One can always dream.
Mediums usage of it actually caused me to switch, on my work computer, from always being logged into Google, to never being logged into my Google account. Now if I have to use one of my companies apps that requires a Google login, I do it incognito.
At home, I never browse while logged in, so I didn't ever notice it that much. Using my Google account for logging into a third party web application is never my first choice. I'll take separate email / passwords for everybody please and thank you.