
Introducing Google+ Sign-In: simple and secure, minus the social spam - iProject
http://googleplusplatform.blogspot.com/2013/02/google-plus-sign-in.html
======
paddy_m
If google wants me to use and depend on their services they need to take
google apps for domains seriously. I have three google apps for domains
accounts, and a regular gmail account.

One apps for domain account is tied to my job, another my personal domain, a
third to a former job/personal domain that I registered services with. I used
my gmail account to access services that google doesn't make available on
google apps for domains.

It seems that no matter which google service I'm using, I'm logged into the
wrong account. I frequently can't log out from the other account properly on
the login page so I have to go back to a mail interface. It is an utter mess.
I don't care about google connecting the dots and realizing that I'm the same
person in all the places. They make it so frustratingly hard to use and depend
on their services that I'm actively looking for alternatives.

Linkedin handles it fine, when someone tries to friend me on my professional
email address with linkedin, they know that I'm the same person. Google+
doesn't. I don't have a Google+ account on my preferred email account because
I can't figure out how to enable it for that domain. I get Google+ friend
requests regularly on every email address I have.

~~~
rachelbythebay
<http://giveupandusemultiplebrowsers.com/>

I found this back in 2009, maybe 2010, when I was still "on the inside" and
shared it around internally. Some people got a real kick out of it.

Now consider this: every single employee has a corp account, and I would think
nearly every employee has a personal account, too. That means problems
stemming from being in the right account have probably popped up in every
single person's face for _years_ now.

It didn't help when they changed from having the u@h up to just a name. Great.
I know my name. I need to know which account I'm in.

Sorry.

~~~
modeless
That site is a little outdated because Chrome now natively supports multiple
user profiles. Each profile gets its own icon and there's a user profile
switcher next to your tabs. It's by far the best solution to the multiple
accounts issue.

~~~
criley
Too bad not every Google Apps for Business setup works with Chrome Sync (or
most Google software).

My company uses Google Apps for Business, but that basically means web
services, because no actual software works. GChat, Chrome, etc all fail to
recognize the account.

Yep just tried again: Invalid user name and password. Exact same entry as when
logging into email except Chrome fails where gmail.com works. It simply will
not accept the name/password of my Google Apps account on any Google software.

What a bummer, was hoping this was a fix for having multiple accounts.

~~~
raldi
You might want to reach out to the person who admins your Google Apps domain,
and see if they've explicitly disabled Chrome signin across all organizational
accounts. And if so, whether it was on purpose.

To do so, have them visit:

www.google.com/a/cpanel/ _< your
domain>_/CPanelHome?pli=1#Organization/subtab=services

...and Ctrl-F "Google Chrome Sync"

~~~
philsnow
Ugh if that's the case, then egg on Google's face for showing the user
"Invalid user name and password" rather than saying (before even attempting to
log in) "your domain administrator has disabled this feature".

------
robomartin
As I see Google expand it's service offerings I find myself excited with the
potential yet refraining from using any of these services for a very good
reason:

As an entrepreneur you are always up against the very real probability of
Google shutting down your account due to unknown violations. This topic has
been discussed on HN before. I have seen it and experienced it first hand with
clients. You account is auto-magically tagged and permanently suspended and
you are screwed. Say goodbye to your docs, email, storage, adwords, adsense,
plus and now logins.

I would really like to hear from someone at Google on the reasons why your
company will not come out and offer:

(a) A solid guarantee of non-termination of services

(b) Real customer service

(c) A sensible mechanism through which honest users of your services can deal
with TOS violations (and learn how to fix problems) without risking loosing it
all.

There's more, but I'm busy. The point is that Google offers a lot of neat
stuff but the risk is too great. It's like jumping off a plane with a
parachute while someone retains control of a "deploy disable" mechanism. You
don't know if you are going to crater yourself on the fifth, the hundredth or
the nth jump. You just know that it could happen and you will never know why.

~~~
weareconvo
> A solid guarantee of non-termination of services

If they terminate your account, it's because they had a reasonable suspicion
that the account violated their TOS. So I guess this one is actually related
to not knowing what the violation was, and accordingly assuming it was for no
good reason. I didn't work on the Policy team - I was a dev - but I seriously
doubt anyone there could terminate peoples' accounts without reasonable
suspicion of a violation and get away with it. The checks and balances are too
tight.

> Real customer service

Google does have "real customer service". However, as far as I know, it's
reserved for the people who are paying Google money for whatever reason. In
general, any of Google's free services have so many tens of millions of users
that it would be ludicrous to guarantee any level of service for every single
one of them.

As to the general complaint about the very real possibility of being cut off
from your data, that's a risk wherever you go. Drives fail, servers get
hacked, someone accidentally hits "delete everything" instead of "refresh
monitoring dashboard"... etc. At least with Google Take-Out, they make it
incredibly easy to download whatever data you have on there periodically for
the purpose of doing backups.

~~~
robomartin
I don't think you are exposed to the reality of the problem. I'll describe one
incident I witnessed for you to get an idea.

We were working on a client's medical information site. A reputable MD. He
happened to own about 250 domains parked at GoDaddy. We were going to use
AdSense on his one site once it was up. He went ahead and setup an account
with Google to use both AdSense and AdWords. During this process he saw that
Google offered a product called "AdSense for Domains". The premise being that
you park your Domains with Google and they auto-magically place ads on them.

The domains were already parked with GoDaddy's "Cash Parking" service for over
a year. It didn't take long for him to realize that this was an intermediates
version of Google's AdSense for Domains. He decided to cut out the middle man
and park the domains directly with Google.

He transferred all the domains. They had to be approved by Google. That
happened overnight. All was well. Two days later he gets the dreaded notice
and his entire account is permanently suspended without recourse, without a
way to learn what the problem may have been and without a way to speak to a
real person. Horrible. Particularly when you realize that he had already been
using this service through GoDaddy as a middle-man.

That is the kind of thing a shit company who cares not for their customers
would do, not a company who clims to live by this "Do no evil" ethos.

Based on that experience I can't see ever trusting them with anything at all.
Great search. Absolute lack of respect and consideration for their customers,
which is an absolutely shitty way to behave in my book.

My standing recommendation is to not use Google for anything other than
search.

~~~
weareconvo
If the person was buying Adwords ads and then using them to direct customers
to parked domains, then I think I have an inkling as to why their account was
terminated, considering I am the person who implemented that policy.

~~~
robomartin
No such thing. The events were exactly as I described them. No ad clicking. No
vectoring through AdWords. Nothing other than a transfer of the domains from
GoDaddy intermediated parking to Google's "AdSense for Domains" and in three
days the account was closed.

Because there's zero feedback all we could figure out is that some of the
domain names (he had a couple that were politically charged) may have hit a
filter. What's weird is that they went through their approval process, started
showing ads for a day and then the account was closed.

This is one account. Search for "Google closed my account" to read more horror
stories, all with different threads. Their process and approach is absolute
crap. Not to be trusted with anything.

~~~
weareconvo
If they weren't buying Adwords ads, then they weren't paying Google anything,
and thus, it's absurd of you to demand that someone providing you with a free
service would also guarantee customer service.

~~~
robomartin
I'm sorry, are you trying to be funny?

Of course these people were using AdWords for their business. They were NOT
using it to vector people to the parked domains.

Only a moron would do that. Spend dollars to make sub-pennies?

~~~
weareconvo
Good to know that the MFA problem I spent 2 years of my life fighting is now
seen as trivial.

~~~
robomartin
I don't understand what you are saying. Not a clue.

------
JoshTriplett
Smart: with people starting to become aware of just how much access Facebook
apps get to your social network, and already well aware of how much apps spam
that network, offer apps that put the user in control of that:
[https://lh3.ggpht.com/-6MCVkHL9Rbs/USvqcyXRUCI/AAAAAAAABGI/o...](https://lh3.ggpht.com/-6MCVkHL9Rbs/USvqcyXRUCI/AAAAAAAABGI/oIS8AKHRBkk/s1600/3sharing_is_selective.png)

~~~
masklinn
s/put the user in control of that/give it to google instead/

~~~
fudged71
This is something that has always bothered me about how much Facebook talks
about their privacy and how much they value your privacy.

A lot of users don't realize that Facebook can 'see' their messages, never
mind the rest of the data that they have "privately" shared on the site.

~~~
JoshTriplett
A lot of people don't realize that their mail server provider can read all
their email, either; they just think about the things visible in the UI (other
people and companies) and not the invisible things (servers).

------
OlavHN
If all you want is a simple, privacy friendly login then check out Mozillas
persona: <https://login.persona.org/>

Chances are your users won't have it already, but it's the only single sign-on
solution I would use without calculating how much privacy I'm willing to
"sell" for not having to register yet another time and remember yet another
password.

~~~
callahad
Thanks! The Persona team is working hard to get past the "your users won't
have it already" bit.

1\. By the end of March, we'll turn on a Persona <-> Yahoo (OpenID) bridge,
followed by one for Google (OpenID) and Hotmail (OAuth). Net win: A billion+
users can fully complete a first-time login with Persona using just three
clicks. (Try it today! Use a Yahoo address at <http://beta.123done.org/>)

2\. A subset of the team is working on a Persona-backed replacement for
Firefox Sync. Net win: tens or hundreds of millions of additional users added
to the "Persona-ready" camp.

3\. The upcoming FirefoxOS phones all have Persona baked into the default
Marketplace. Net win: time will only tell.

The above projects just streamline the initial onboarding experience: anyone
can use Persona right now with any email address. FWIW, last time I checked,
Persona's is averaging > 13,000 daily login transactions over a rolling 7-day
window.

I don't want to derail, but if you have questions or need help getting Persona
set up on your site, please free to email me.

------
wereHamster
As a developer, how is that different from logging in via Google OAuth?

~~~
mtrimpe
Skip 50 seconds into the video and you'll see the killer feature here: a
seamless handoff to your companion mobile app.

It seems they're even offering analytics with it:
<https://developers.google.com/+/features/play-installs>

~~~
jianshen
Very interesting feature. App associated with web page must be free and "meet
a quality threshold" determined by Google.

[0] [https://developers.google.com/+/web/signin/android-app-
insta...](https://developers.google.com/+/web/signin/android-app-installs)

------
jug6ernaut
Not on topic not off topic.

But until g+ allows linking of multiple gmail accounts to one g+ account i
will never be using it.

Ever tried switching email address on g+, nightmare...

~~~
modeless
The support for that isn't in G+, it's in Gmail. Gmail supports sending and
receiving mail from multiple addresses. The other addresses don't even
necessarily have to be Gmail accounts. It's easy to link all your email
accounts together into one Gmail inbox.

~~~
jug6ernaut
Yes I am aware of this feature in Gmail, but this is not what I am referring
to.

What im referring to is when contacting other people through g+ it uses w/e
email address is associated with g+. This is not always idea, I don't want
everyone to know about my email address. Even if u have another email address
it is impossible to contact other users using anything but the one email
address associated with the account.

Also afaik you can link other NON google email addres, just not other google
accounts...

~~~
modeless
You can link non-Google email addresses to Gmail. Even if they don't support
mail forwarding natively Gmail can retrieve the mail from them using POP3.

------
ecaron
Most interesting point: <http://www.thefancy.com/> (the promo site in the
video) ISN'T EVEN USING THE SERVICE!!!

~~~
sethjs
Hey there - this is Seth from Google+. The launch partners will be rolling out
Google+ Sign-In over the course of the day.

~~~
mynameisvlad
Fyi, the /apps link also doesn't work on my account.

~~~
sethjs
It should shortly - the roll-out takes a few hours to get to 100%.

~~~
ecaron
On an unrelated note, thanks for joining HN to participate in this discussion.
It is really refreshing to know that Googlers like yourself and Matt Cutts are
engaged in their community - it makes it much easier to have faith in the
technology collaboration vs. when the movers/shakers sit behind a walled
garden.

------
newishuser
minus the social spam... for now while we try to gain users.

If they were serious about it, they'd put it in a non-changeable clause in
their TOS. Otherwise it's just marketing fluff.

------
m_eiman
_minus the social spam_

Somehow I find that hilarious.

~~~
BruceIV
Yeah ... speaking of "social spam" does anyone else get a "make new friends on
Google+" page about 10% of the times you try to go to plus.google.com ? The
persistent annoyance of that page was a major reason I went back to Facebook
from G+, and now just use it as a Skype replacement.

~~~
fryguy
More than 10% of the time on facebook, I get a "try out these new games your
friends are playing" (even though I've rarely played games on facebook), which
takes up roughly the same amount of space as the google+ one does.

~~~
shadowmint
What are you talking about?

You've clearly never seen the google ones.

It's a _GIGANTIC POPUP_ full of Click here! Join now! Follow ME! (Or like
today, a new full page of Do Not Want: "Never miss another post Get
notifications whenever important people in your life share something new on
Google+" <\-- how about you just let me into the site ok? Come on...)

Facebook is spammy, but G+ is just beyond a joke.

------
bitcartel
Doesn't the combination of Google+ Sign-In and Google Wallet remind you of
Microsoft Passport[1]? I wonder if people who had concerns over a decade ago,
will have the same concerns now.

[1] <https://en.wikipedia.org/wiki/Microsoft_account#History>

~~~
Groxx
Except that Passport was embedded in the OS. And if I remember correctly, a
royal PITA to set up with multiple accounts, or manage your existing data. I
infinitely prefer this to be part of the internet instead of the OS, where
it's easier to support multiple simultaneous logins.

~~~
anoncow
This wil be embedded in their OS too...

~~~
Groxx
But not in Windows, OSX, or Linux, where Chrome runs as an application. And
it's likely to be embedded (like the normal Google account embedding) in stock
Android devices, but not some forks or some carrier modifications (since
Google accounts aren't required for any of the features any more).

The same cannot be said for Windows. Especially when Windows held an
_overwhelming_ monopoly on desktops, unlike Android.

~~~
vvhn
android is going to get an overwhelming majority too. Pretty soon even the
basic $30 phone is going to be a smartphone likely running android. iPhones
are going to keep on growing at a healthy rate but their numbers will dwarf
against android.

------
nullc
How does this compare with Mozilla Persona?

Persona uses cryptographic tokens so that identity providers can't spy on what
sites you're using, and can't selectively deny service to various sites.

I think that people should resolutely refuse to use any identity service that
doesn't have at least those properties.

~~~
mcovey
persona is an actual trustworthy idp, google ... you are the product.

------
david_glazer
To ecaron and others asking -- we're doing a gradual rollout over the course
of the day, as are our launch partners. You'll see the feature in their apps
soon.

------
robot
Terrible idea. I hate the (mis) connected nature of google services. E.g. I
don't want to see Google+ contact's recommendations on my youtube page. Now I
can't imagine the same happening with even other apps.

------
mikeevans
This is an interesting feature:
<https://developers.google.com/+/features/play-installs>

~~~
shawn-butler
Isn't this a recurring complaint of HN users? They go to a website in a
browser and it tells them to download their app.

The complaint usually goes if I wanted to use your #@#%@# app I would be using
it, I'm using your web site.

Seems spammy to me and also android only. Really getting skeptical of the
"gadgetification fanboism" of the web.

~~~
cbhl
This is subtly different -- it sends the app to your phone when you're logged
in on the desktop.

~~~
marcamillion
But isn't that worse? You are browsing an app that you logged into with
Google+ and now all of a sudden it's installed on your phone?

~~~
dannyr
It's not all of a sudden. You have to click "Install" for it to be downloaded
on your phone. It's not automatic.

~~~
marcamillion
Ahh...ok. Now that makes sense. I was under the impression that it detects
that you have an Android phone - based on your Google profile - and it
automatically does that. Well that's cool.

------
jacquesm
Google+ _is_ social spam, and one of the few varieties that is extremely hard
to get rid of. Most of the other ones you can simply blackhole.

------
hakaaaaak
I don't want to use Google+ because everyone I care about uses Facebook, and
even that I'm growing tired of and use less than I did for a few years.

I'll continue to use my Google (Gmail) account for authentication to
StackExchange and a few other sites, because it doesn't make me use anything
but Gmail. But, if Google starts forcing me to use Google+ actively, I'm going
to stop using it for authentication.

------
bsimpson
I've already taken the time to implement a server-side login using OAuth2, as
documented by Google here:

<https://developers.google.com/accounts/docs/OAuth2WebServer>

According to these new docs, I need to use the Google+ JS to do client-side
authentication, then pass the token to my server:

<https://developers.google.com/+/web/signin/server-side-flow>

I have no interest in building a new code path to support Google login, when I
can use the OAuth setup I'm already using for 3 providers (inc. Google). It
would be nice if you'd just post the CSS or PNGs you're branding as Google
Login and let me use the backend I've already plumbed.

~~~
bsimpson
I found the actual button design guidelines, and noticed that their launch
partners (FitBit and The Fancy) have designed their own buttons in the same
style as Google's JS buttons.

Here are the design guidelines, PSDs, and PNGs:

<https://developers.google.com/+/branding-guidelines>

------
pgrote
Can anyone find a working example outside of Google of the 2 Step
authentication working with the Google+ Sign-In?

~~~
pgrote
2 Step doesn't work on USA Today. You get:

Unauthorized request.

Error 400

------
brown9-2
Nice dig at Facebook here:

 _In addition: Google+ doesn’t let apps spray “frictionless” updates all over
the stream, so app activity will only appear when it’s relevant (like when
you’re actually looking for it)._

edit: referring specifically to how Facebook markets it's sharing options as
"frictionless": <http://en.wikipedia.org/wiki/Frictionless_sharing>

------
Djehngo
I don't know much about the specifics of facebook apps, but could anyone
outline the differences between facebook's approach to apps and google+'s?

------
marban
Apple should have long released an equivalent for iCloud accounts.

~~~
kmfrk
They are still working hard on something after the Mat Honan hacking <
[https://encrypted.google.com/search?hl=en&q=mat%20hack#h...](https://encrypted.google.com/search?hl=en&q=mat%20hack#hl=en&sclient=psy-
ab&q=mat+honan+hack+apple&oq=mat+honan+hack+apple&gs_l=serp.3...1409.2092.0.2905.6.6.0.0.0.0.142.784.0j6.6.0.les%3B..0.0...1c.1.4.psy-
ab.t8FXRwTZNlI&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&fp=9ebc75283e7b2b59&biw=1440&bih=779)
>.

------
seldo
Please correct me if I'm wrong, but it seems there's still no offline
permission to share on a user's behalf. It seems to be a deliberate design
decision, but it makes life tricky for somebody wanting to make a social media
management platform (ahem) since there's no mechanism for scheduling future
posts, etc.

------
danso
OK, I'm going to go off-topic and sound like a crank...but is the font-size
for Google's blogs kept at 13px because:

1) To keep consistency across every service (search, analytics, maps, etc)

2) Because it's what users like, according to in-house studies

3) Because...why change it?

Not all the Google blogs use Arial (<http://chrome.blogspot.com/> uses Open
Sans). I'm not trying to be completely snarky here...If it is indeed a best
practice, then that's good to know. The width of the Google blogs do conform
to showing 80-or-so characters a line, though at 16px, the characters-per-line
is about 70, which isn't bad either.

(yes, I know HN is at 13px too...but a discussion board with variable length
of text and a higher value in being able to see more entries at once is
different than the narrative paragraph form)

~~~
blaze33
So that I'm still able to read it on my 640x480 CRT screen. Backwards
compatibility is serious business at Google.

Joking aside, it's a 62.5% x 1.2em font size which is rendered as 12px (at
least with my chromium/ff defaults). Probably too small for most readers
nowadays (some would certainly agree cf.
[http://informationarchitects.net/blog/the-web-is-all-
about-t...](http://informationarchitects.net/blog/the-web-is-all-about-
typography-period/)).

------
mixedbit
Great, add to this 'minus centralized' and I'm all in. Or wait, Mozilla
Persona already does this.

~~~
superuser2
Dpesn't Mozilla hold the map of emails->passwords for Mozilla Persona? That's
pretty centralized to me.

~~~
mixedbit
Any domain can authenticate its users, Mozilla acts as a fallback if a domain
does not do this. At this moment most domains do not directly support Persona
authentication, so almost always the fallback is used, but the system is
decentralized by design.

------
lnanek2
Reminds me of the huge threads of people upset about needing Google+ accounts
to post reviews on apps on Google Play now, lol. Guess Google tried eating
their own dogfood on this one and it didn't go over well.

------
kmfrk
Great to see an alternative to Facebook log-in. It's usually either Facebook
log-in or e-mail based log-in, which works really poorly on mobile, when you
don't have something like LastPass to autofill.

------
avodonosov
What is so new? It's OAuth 2.0 (see google+ docs:
<https://developers.google.com/+/api/oauth>). OAuth 2.0 is supported for a
relatively long time by Google (the old docs:
<https://developers.google.com/accounts/docs/OAuth2>)

------
znowi
Apparently, this worked out so well for thefancy.com that they took it down. I
can only see the usual suspect: Facebook and Twitter sign-ins.

In fact, I've checked all the sites listed in the article - none of them have
Google+ sign-in.

Also, they say you sign-in via Google account, but I suspect it also requires
a Google+ profile in order to use this feature.

~~~
tomkarlo
It's fairly obvious you have to have the announcement first, then the rollout
on major sites (that aren't run by Google.) If the reverse happened, it would
be seen as a foul-up. Facebook did the same when they announced "Likes" on
external web sites.

------
combataircraft
After I lost the Youtube account that I used for 4 years, thanks to their
fucking robust login service: Go fuck yourself, Google

If you guys wanna see the future of this project, just try to create an
account and upload a video in Youtube. Youtube is a Google company, and they
fuck Youtube's membership system up.

------
BenoitEssiambre
I wonder if Apple's rejection of apps that track their users* will result in
this API being blocked on iOS?

* [http://www.tuaw.com/2013/02/26/apple-rejecting-ios-apps-for-...](http://www.tuaw.com/2013/02/26/apple-rejecting-ios-apps-for-cookie-tracking/)

~~~
wutbrodo
Apple's not rejecting apps that track their users, it's rejecting apps that
don't use Apple's user-tracking system.

Also, what Apple was trying to combat was persistent tracking without user
knowledge (done originally using iOS's exposure of device ID, which was
deprecated, and now with these "cookie" tracking implementations). Allowing a
user to initiate sign in to an app is a far, far cry from that (and it would
be preposterous for iOS to disable the ability to log in to apps).

------
donniezazen
What really surprises me is the blatant permissions required by most
applications specially on Chrome OS. Many of the applications/extensions I
have had opportunity to observe in past few days outright require "all data on
all websites."

------
sunils34
Anyone else having trouble working through their examples? It seems like they
haven't made their example repositories public yet.
<https://github.com/googleplus>

~~~
willnorris
That's the right GitHub org, the samples should be showing up there soon.

~~~
gguuss
The first set of samples are available now.

------
StavrosK
Wait, does this mean apps can finally post to G+? It looks like I can finally
write a simple app that can cross-post my Twitter stream to my public G+
circles.

~~~
dragonwriter
> Wait, does this mean apps can finally post to G+?

Apparently; the "Moments" API which supports this (which has, I think, been in
limited, trusted-tester use for something like 6 months) appears to now be
general availability as of the API documentation update today.

------
neves
With this new signin, will it be possible for someone to develop an
application that automatically publishs my site RSS feed in Google+?

------
mehulkar
I'm confused, didn't Google+ Sign In already exist? I know I'm using it
already...

