
What Do You Think about This Seamless “Registering/Login” User Experience? - kinderjaje
https://community.vanila.io/uiux/general/what-do-you-think-about-this-seamless-registering-login-user-experience~cd5aeb82-8d13-46ed-b099-2b8865443a66
======
wayneftw
I find it to be intrusive and disturbing. Medium.com does this and I've always
hated it.

Mediums usage of it actually caused me to switch, on my work computer, from
always being logged into Google, to never being logged into my Google account.
Now if I have to use one of my companies apps that requires a Google login, I
do it incognito.

At home, I never browse while logged in, so I didn't ever notice it that much.
Using my Google account for logging into a third party web application is
never my first choice. I'll take separate email / passwords for everybody
please and thank you.

~~~
lazyasciiart
God, Medium has the worst login experience of any site I use. What makes them
think they are too clever to be usable with a password manager like the rest
of the damn internet? I usually just reopen the article in an incognito tab
instead of going through their stupid “send me an email!” bullshit login.

~~~
osdiab
For every user like you who is using unique, securely generated passwords in a
manager, there’s 10,000 people who are using the same, easily compromised
password on every website they’re registered on.

You’re not the target audience for these features - not only are you the tiny
minority, but no matter what system they give you, you’ll find a way to
interact with it safely, so for that interaction you simply don’t matter.

And choosing to do this kind of login pushes blame for authentication issues
away from that company, and onto the federated provider, who presumably has
legions of security researchers to make sure they’re doing things safely.

~~~
netsharc
Huh, new idea, Google already prompts me on my phone when I log in to Google
on a new device, why isn't there a service where instead of having to open my
email and find that darned Medium email, it can push a question to one of my
devices (also on PC) and I can just press "Yes that was me, let me in"? It can
be some third party so I don't need a different software for each site..

~~~
Spivak
Isn’t that basically logging in with Google? I mean Google isn’t asking you if
you logged into Medium with a push but by the time you’re doing that Google
already knows it’s you and pushed you a notification to log you in initially.

~~~
netsharc
Almost, but what if I'm uncomfortable with Medium having my real name and
profile pic (which Google's SSO will share)?

I'd imagine Medium would offer "authentication through X", and I can either
enter my id for X, or go to the X app and generate a new ID for use for
Medium, and paste it on Medium. So next time I want to login to Medium, after
entering my username, Medium's backend talks to X's backend (saying user with
this ID wishes to login) X can prompt me on one of my devices. Medium can
display a unique number on their page for me, and I can compare that to the
number my X app is showing me to confirm it's me I'm letting myself in.

This is a 1 minute concept without considering creative ways it can be
attacked. But I guess there wouldn't be any money to be made...

------
echelon
This really disturbs me. What's the security model for this?

Even if the site never learns my Google identity, I hate having to close the
signup window. If I misclick, they get my identity. It's so sick.

~~~
rhizome
I think it's probably the same as it ever was. By my read this is essentially
Google releasing an iframe (or whatever) version of their "allow
blorbulax.com?" page with the message reworded and combined with the "yes"
button.

------
dclaw
Hate it.... I do not want a site to have access to my information before I
even open an account... even if that's just some anonymized ID created for the
task.

Ironically, you must sign in with a social media account( facebook / twitter )
or google / github to even use this site..... Single Sign On crap just leads
to your whole life getting hacked if something happens. if I cannot setup an
account with a unique email address and password, I will leave.

------
ryukafalz
I've seen these before; it feels way too intrusive and out of place on the
page. If I'd clicked a "sign in with Google" button, then okay fine, but a big
dialog covering the corner of the page? No thanks.

Checking out that page, the traditional signup button (which is what I'd use
as I'd rather not use Google login) is actually _under_ that dialog. You can't
see it until you dismiss the dialog.

------
edoceo
I see one like this on other sites - eg Instagram. Hate it.

Don't assume I want to give you my identity.

But! Make it super easy for me to act when I decide.

These force-auth types are over-reaching and intrusive. They cause pain to the
power-user and cause incidental harm to the standard-user (and maybe more)

~~~
rhizome
Heck, I don't like it also because I don't want to give _Google_ the data
they'll slurp from this connection.

Not for free, anyway.

------
thosakwe
EDIT: I misread the OP. I was under the impression that the popup came after
clicking "Log in," rather than just being immediately shown on load. Ignore my
comment.

Personally, I like it, and I think that from the typical user's perspective,
it can probably be more convenient.

At least, it's more convenient than the classical "click a login link, which
takes you to another page, try to remember your password, maybe hit I forgot
and have to view your email, and then hope the site takes you back to the page
you were originally on" flow. A big win is not having to leave the content
you're currently viewing, which is an annoyance on mobile.

A lot of the comments on this thread strike me as cynical, and are dismissing
the user experience aspect of something like this. Especially considering that
the average user doesn't have a password manager (I could be wrong on this
claim, I don't have a source ATM).

EDIT: I should clarify that I'm talking about the "quick sign in" pattern in
general, not necessarily about any specific auth provider.

P.S. If you're trying to produce a similar flow on your site, the Credential
Manager API (navigator.credentials) allows you save user credentials locally,
so when they visit your site, their browser can automatically sign them in.

------
Jonnax
I don't like it. I makes me feel that a miss-tap will cause me to send my
details to a site

~~~
the_pwner224
> It makes me feel that a miss-tap will cause me to send my details to a site

This reminds me of one time when I logged in to Chrome and misclicked on the
dialog that asked whether to sync data. I very quickly went to settings and
disabled sync, but I have a feeling Google got all my bookmarks and history
and saved passwords.

That's what finally made me delete Chrome (I had already been using Firefox
primarily but now have Falkon (WebKit-based KDE browser) instead of Chrome).

Very malicious how the option to keep your information to yourself is gated
behind many opt-outs but if you accidentally opt-in once they take everything.

------
friedman23
Given that this is a website for medical use, I'm surprised they are allowing
account creation with google oauth. I'm 95% sure it's not HIPAA compliant.

~~~
judge2020
[https://cloud.google.com/security/compliance/hipaa/identity-...](https://cloud.google.com/security/compliance/hipaa/identity-
platform) \- looks like, at least for Cloud Identity (for employees accessing
the internal records and databases themselves) - it's HIPPA compliant when the
people implementing it do their DD. Since GSuite and Gmail logins are fairly
tightly integrated, I would bet the regular auth system and oauth system for
Google accounts is HIPPA-complaint.

~~~
friedman23
If you are using a service like google oauth you need to sign a business
associate agreement with them before using any of their services in a HIPAA
compliant manner. I've searched for how to sign this contract pretty
unsuccessfully.

------
tus88
How about: forgot what email I used for a particular website, so try and login
(not register!) with one of them...oops it was the wrong one but I now have an
account apparently along with welcome emails to match. I am very caution about
putting an email into any login form without double checking it is the right
one.

~~~
jayd16
I guess you know if you see the "continue as xxx" confirmation?

~~~
tus88
I have noticed many lately that don't even do that. Its auto account creation
upon invalid login.

------
Rainymood
My prediction: People on HN will hate it, the general public loves it.

------
kipdotcom
A big no no for me. Seen a couple of sites and never tried clicking. I'd
rather use the 'sign in with google' button where I get to confirm rather this
privacy insensitive method.

------
11235813213455
It's probably using google oauth SDK
[https://developers.google.com/identity/protocols/OAuth2UserA...](https://developers.google.com/identity/protocols/OAuth2UserAgent#example)
(there's no popup raised if you're already signed in google). You can then
send and validate the token on server-side, and create an account there

------
buboard
i find this creepy. "why does this website know my name"

------
lubujackson
I saw this on Zillow and I tracked it down to
[https://github.com/openid/OpenYOLO-Web](https://github.com/openid/OpenYOLO-
Web) or some similar implementation of that protocol. I haven't looked into it
yet but I've been intending to figure out how it works and I was surprised I
haven't read about it yet anywhere.

~~~
judge2020
Yes -

[https://github.com/zapier/google-yolo-
inline](https://github.com/zapier/google-yolo-inline)

But it seems the page for one tap -
[https://developers.google.com/identity/one-
tap/web/](https://developers.google.com/identity/one-tap/web/) \- is no longer
a thing; the the only solution for "web" experiences is the "sign in/continue
with google" javascript client that does the pop-up, eg.
[https://doodle.com/login](https://doodle.com/login).

~~~
chocolatkey
They discontinued the other one because someone demonstrated that you could
hide it under another element and trick people into clicking on it

------
nguyenkims
This button allows Google to know the fact that I'm currently on this specific
website. If more and more websites implement this button, Google will have
access to my complete browsing history!

IMO a website must ask for a permission before displaying this button.

Facebook also has a similar button ("Continue with {my_name}") that use the
same iframe method.

~~~
netsharc
Well FB (and Twitter) already have "Like this page" or "Tweet about this"
embeds, and those allow them to track you across the Internet (or at least on
sites with those buttons).

------
chii
hhm, how did they do that? I thought the google oauth flow required that it
redirect to a google page (and show the info/permission the oauth flow is
asking for).

Unless there's a security leak somewhere in cookies, which exposed your email
address to this site (which doesn't belong to google i presume).

~~~
space_fountain
Probably iframes

------
appleshore
The first time this happened to me, I instinctively clicked to login thinking
Chrome was trying to log me into Gmail or my Google Account. I didn’t realize
I was giving info to some random site, I was just trying to swat away a popup.

------
gothroach
Seeing this on a site would instantly remove any desire I had to make an
account.

------
avip
Something marginally less seamless: try to sign-in to google play console with
a user that is not the one currently "syncing" in chrome.

------
jcmontx
Well, as a user I love it.

In the other hand, as a conscious consumer, I absolutely hate giving even more
information to Google.

It would be cool to have an open source, non-profit organization to work as an
universally accepted authentication provider platform. One can always dream.

------
roobs
It’s insecure too :)

[https://blog.innerht.ml/google-yolo/](https://blog.innerht.ml/google-yolo/)

------
xg15
Creating a persistent public online identity on an untrusted service at the
click of a misleading button? What could possibly go wrong?

------
beders
gee, it is 2019 and we still haven't solved registration/sign in ;)

------
Animats
It's a suction pump for the onboarding funnel. It is not your friend.

------
Ice_cream_suit
This is world wide surveillance gone mad.

I try to avoid using creepy websites like this.

------
zemnmez
interesting ... I wonder how this is secured from attacks from the website
itself redressing it and/or clickjacking attacks

