Admittedly, that's not a minor benefit. If someone has access to your Gmail account, there's all sorts of information there they can use to engineer access to other services.
The naive optimist in me wants to think that making security keys accessible to more users, and getting them used to them, will lead to pressure for other services to follow suit. But then I think about how long people have been criticizing banks for ridiculous password policies that are seemingly universal in the industry, and I know better. Or bad security practices at organizations in general. I'd very much like to be proven wrong.
I mean the problems I have with banks are 1) you type your username and password on different pages 2) password limits of like 20 chars.
We're in a day and age where people should be using password managers (even my tech illiterate parents use them). So why are character limits set so low? I want my bank password locked down. And we're in an day and age where (1) shouldn't even be an issue. I'm not sure what other issues people face, but I've seen these patterns with multiple banks.
I think banks get lip more because they are a clear case where security should be VERY high. Just like you should protect your email strongly (note google does (1)[0]).
[0'] If someone is an actual security expert, I'd like to know why (1) is an acceptable practice. (My bank does it, but they pass you to the password page no matter what you type in, which seems safer than what google is doing)
>If someone is an actual security expert, I'd like to know why (1) is an acceptable practice.
So your issue here is that Google tells you whether it's a valid email address before you enter in a password?
You could validate email addresses yourself by sending out a ton of emails to different permutations of *@gmail.com and seeing which ones come back as undeliverable. An email address on its own isn't inherently private so this doesn't seem to be a security risk to me unless I'm missing something.
I interpreted the parent's complaint in (1) as the login form having the username/password entries split across two screens, not as a complaint that it tells you the account doesn't exist.
AIUI, splitting the entry across two screens like that breaks a lot of password managers, as they can't handle it. This hampers the adoption of password managers, which would largely help the average Joe's security.
Google supports external auth in some cases¹, and to know whether they need to redirect to that auth, they first need your username / email. Then, you're either redirected or you're shown the password entry prompt.
I don't know of any banks that do this, so this might not be applicable to them. (Theirs might just be bad design.)
¹GSuite, not consumer GMail, but I assume the flows are the same
You both addressed different parts to my complaint, so thank you both.
I'm definitely dumb enough to not realize that email login might be a special case because you can check username validity another way (sending emails). And I didn't know that GSuite had external auth.
These split pages don't actually break lastpass, at least for me. One field is still called username and another is called password, so they fill properly.
The naive optimist in me wants to think that making security keys accessible to more users, and getting them used to them, will lead to pressure for other services to follow suit. But then I think about how long people have been criticizing banks for ridiculous password policies that are seemingly universal in the industry, and I know better. Or bad security practices at organizations in general. I'd very much like to be proven wrong.