But how did we end up in this horrible state of authentication? Why don't we have something as easy to use as the DNS, but for authentication?
Imagine what authentication would look like, if we all started running is the same direction, instead of implementing our own authentication again and again. If we had something open source, that would allow you to sign in to all the sites you use, while completely protecting your privacy, so none of them know who you are.
This dream can come true. Technically at least. I've taken the the first baby steps with https://promiseauthentication.org which proves that this is possible.
But, for this to become a reality, we really need to start running in the same direction. A collective movement towards a sane, privacy-first Single Sign-On provider that's easy to use for everybody.
Aligns really well with using your own domain for email instead of gmail.
> You will get a unique identity pr. service you use. This ensures that relying parties have no way to profile you across services.
For me, this is actually the biggest reason that I stopped using social sign-ins. It's not that Google might disable my account one day; it's more that I don't want Google or Facebook tracking me.
How does a decentralized system handle this? If my identity is my domain, doesn't that mean that all these websites now have a unique id which they can use to join together all their separate pieces of data about me?
That said, the unique identity is still valuable--Apple offers this with their third party sign in. Practically, if everyone was using self-hosted identity, then the tools would probably make it easy for you to create and track your own new identities for each service you use. This isn't build into something like IndieAuth today, but with the right DNS settings you could have arbitrary subdomains return the same authentication options and act as easy-to-use "sub identities".
Only by being pseudonymous can it provide the level of privacy that should be expected from the global authentication infrastructure that Promise wants to be.
It would be possible to not save the map, and then use some kind of hashing to infer user ids for each site. I chose not to do this, to be able to guarantee no collisions. This might be silly, though. But the thought of people with colliding user ids makes me giddy.
The data stored looks something like this:
Worth noting is, that there is no personally identifiable information (PII) here.
But we have to have the discussion if this is "too much" data to keep about a user. AFAIK this is the bare minimum of data needed, to be able to guarantee no collisions of user ids. If there is another way to do it, we should do that!
You manage your identities and attributes locally on your computer. No need to trust a third party service with your data.
Why do people assume that is a good thing? I do cybersecurity at work (among other things) and it takes a lot of effort to keep things both available and secure. My home PC, not to mention PCs of my friends, are never going to be as secure.
A system which has a chance will have to be federated, not local-only.
But then you should listen to the advice we're given if we use one for personal use.
1. buy two devices
2. Generate a phrase on one then import to the other
3. Put the second one in a safety deposit box in another city or state, or a safe with a family member also out of the city or state.
4. Keep a copy of the phrase on steel seed phrase tool (Steely, etc)
5. Mount the steel seed phrase backup inside of a wall of your house and plaster and paint over it.
6. If your phrase ever gets seen by any electronic means, it's compromised and the process must be redone (note that importing uses a randomly shuffled alphabet on the device to make MITM or keylogging attacks unusable).
So... Security is hard. We should build systems that make it easy. There should be ways to recover from backups of a service goes offline, but we can't expect everyone to make good decisions.
Not to mention having passwords synced between devices and available on demand is really a requirement of you use random passwords for every site and need to log into something (heaven forbid) on someone else's device.
These are in direct conflict with each other.
What's your threat?
Most people are not trying to stop a determined attacker. Most people just want random people to not get be able to get into their stuff--same as a physical lock.
They carry a physical key on their person. It's not too much to ask them to carry a "digital" key on their key ring.
The problem is that most "digital" keys are a pain in the ass:
1) Mostly because everybody wants to "centralize" authentication so that they can charge you and administrate you.
2) Secondarily because there is no good solution for talking to the key on your person. NFC sucks. USB requires that I plug my key in. WiFi requires that the device be able to hit your network. BLE has no access from web pages.
BLE is probably the best choice, but there is no real money in making it work.
There is no way around this... Security isn't a state, it s a process. It relies on the human to propagate it. A bit like a garden.
Make the process simple for the user (but not thoughtless) and that is about as good as is going to get.
On one hand, I want to tell you that Promise is only centralized by default. Which is good for people that doesn't understand what a OpenID/IndieAuth Provider is. But as Promise is open source and the protocol caters for it, it is possible to have Promise redirect authentication requests to your own instance. Which then redirects you back to the relying party you want to sign in to. So it is possible to decentralize if that is what you want
On the other hand, I'm not sure it's a good idea to do it. Centralizing gives a lot of benefits. User experienc being one, but also being able to roll out eg. security updates quickly. But sure, centralization also creates problems.
But until now, I have a feeling that the problems with centralization, can be solved by other measures than going decentralized. Eg. being a non-profit organisation owned by the relying parties. This would guard against a lot of the problems with being centralized.
And I'm still to encounter a decentralized solution with a reasonable user experience for most people. OpenID, IndieAuth, SQRL, re:claimID, I'm looking at you. Sorry.
The challenge with centralized is that it is a single point of failure. The original post was more focused on "If you get locked out of google, you get locked out of everything". In that vein if promise gets hacked/bought/abandoned/changes it's business model etc.. then you lose all your accounts. The anonymous nature of it is great, but this is something Apple already offers with their sign-in with apple which is already widely supported and with the proxy-email solution you can still be contacted by the sites you're signing up with.
I got interested in IndieAuth because of a project of mine, trying to make it really easy for everyone to self-host their facebook/twitter equivalent with direct control over who has access. This runs into the problem with wide adoption where you have a separate credential for each of your friends' blogs. With IndieAuth built into the self-hosted platform, then your own self-hosted site becomes the one credential you can use on all your friends' sites. Self-hosted distributed identity for privacy AND ease-of-use.
 You can find the link in other comments I've made on HN
I totally understand what makes IndieAuth is a good solution. And it seems really easy. For me. But I have no idea how I would go about explaining it to, let's say, my mom.
Apple is offering something very similar to what Promise does. The difference is that Apple is a commercial corporation. Which means they're in the game to make money. Promise will be in the game to make authentication easy, secure and private.
In many ways I compare the goal of Promise, with the goal of DNS. Take a commodity and make it available globally in a reliable way. Yes, it will be a single point of failure. So the job of Promise will in large be, to keep the platform secure and reliable.
Apple is a commercial corporation, and one of the biggest (by market cap) companies in the world. That gives me confidence that they'll be around for a long time, have sufficient resources to invest in security and reliability, and they have a well-established reputation for a focus on security. They do other things I don't like, but I think this is one area where they're setting really good precedent.
In addition, it's going to be difficult getting any sites (outside of maybe the crypto/grey-market) to adopt an auth system that doesn't let them contact their users. This is also I think a big failing of IndieAuth.
If a site needs to contact the user, it's reasonable to ask for eg. an email. But now the intent of asking for an email has to be crystal clear, which makes you and them more aware of what data you are actually giving them.
Apple sure is doing some good stuff with their authentication solution and their efforts to help people with healthier passwords habits. I'm still not too fond of having such fundamental infrastructure owned by a private company. Would you be comfortable handing over DNS to Apple?
Only problem is there aren't any password managers that implement it, so it's not actually practical to use as a primary authentication factor yet.
I see it this way, that Promise makes it possible for all its relying parties leverage WebAuthn by implementing it once, so they don't have to.
But most of all, what I'm missing is at least one good option on the sign-in screen. And using a password manager is not it.
What should be done when creating a new account is that, in addition to the username and password, the website should allow for uploading a certificate signing request. The web browser should then allow the user to create one and upload it. The website should then return the signed certificate to the client and the browser can then store it to use during subsequent connections.
Doing something like this would allow for two factor authentication without the half-baked solutions like sms or email based 2fa.
Your average user is not going to open a command prompt and dig into Openssl. There are (or were, I haven't used them for a decade) browser-specific APIs for generating private keys locally, but they were very flakey, and the whole UX was very confusing for users.
And after this, the user can only sign in on the machine in which the key was created. Your average user will not have a clue how to move certificates and keys around between machines.
I have direct experience with this. Back in 2008 I led a team building an extranet site, and we used X.509 client certificate authentication. We had to build our own tooling for management of the PKI, which was no small task. But ultimately it was key creation and certificate distribution that were the biggest problem - our users absolutely hated the signup process, as well as the fact that they couldn't later signin on another machine.
That's why I said that the browser should provide that feature.
> There are (or were, I haven't used them for a decade) browser-specific APIs for generating private keys locally, but they were very flakey, and the whole UX was very confusing for users.
That's a UX issue that can be solved if the time was put into it
> And after this, the user can only sign in on the machine in which the key was created. Your average user will not have a clue how to move certificates and keys around between machines.
They shouldn't be moving/sharing keys between machines at all. What could be done is to implement a mechanism to associate an additional device with the account. Perhaps something like sending a CSR from the new device and then using the first device to confirm that it's a legitimate request.
So I can only sign into my account from any new machine if I have access to a previously-signed-in device? What happens if my last login session expires? At that point, I have to sign in with a password, and now I'm back to all the terrible things about managing 500 passwords.
Federated identity / SSO through a trusted provider makes so much more sense, the standards are open and there are dozens of implementations available. Nobody needs to reinvent the wheel, we don't need a 15th standard. You just have to sign in with a provider that you trust not to lock you out for no reason, in a way that gives you no recourse (unless you can get your story on the front page of HN). Obviously that provider is not Google.
The scenario I'm envisioning is that one creates an account on a website like HN, but with the additional step of generating a CSR, sending it, and receiving a certificate to store locally (with the browser handling the generation of the CSR and storing the resulting certificate with a standard and easy to understand UX workflow).
Once signed into the account, the website could prompt the user to add additional devices if they so wish (e.g., I created the account and signed in on my laptop, now I'll add my smartphone as a trusted device). This step could be done now, or sometime in the future.
If the prompt encourages users to do so right after creating the account, it's likely that they'll have access to the original device to confirm additional CSRs. Even if they choose not to do so right away, I don't think it's an unreasonable requirement to have access to the original device.
> What happens if my last login session expires? At that point, I have to sign in with a password, and now I'm back to all the terrible things about managing 500 passwords.
If the situation was that websites used 2FA via having the username/password as one factor and client-side TLS as the second factor, then password reuse wouldn't be an issue. Even if someone were to guess the username/password combination, the most they could do is send junk CSRs to try to add their device, which can then get rejected or not acknowledged by the original account holder.
> Federated identity / SSO through a trusted provider makes so much more sense
Perhaps, but based on what I've seen for general services out there, they just use either Google and/or Facebook as the trusted provider. I'm not sure how that situation came about, because it was pretty easy to create multiple accounts on those services without having to provide any basic identifying information (which essentially is the antithesis of what should be considered a trusted provider).
SSL/TLS is a standard that has been around for a long time, and given the ubiquitous use of server-side TLS, I don't see why it would be considered re-inventing the wheel to use the client side part of it. With nginx, you could set a HTTP header with proxy_set_header based on the value of the $ssl_client_verify variable value. Then the application could direct the user to the login page. If the client-cert is valid, then allow them to log in normally. If not, then direct them to log in, send a CSR, and go back to a valid device to confirm that CSR.
> You just have to sign in with a provider that you trust not to lock you out for no reason, in a way that gives you no recourse (unless you can get your story on the front page of HN). Obviously that provider is not Google.
Personally, I think we shouldn't have to involve third party providers in the authentication process. One reason is what you've already mentioned about getting locked out of the account. The second is if that account is compromised. With TLS, you don't need a third party involved in the process at all for the client side.
I just find it disappointing that I'm essentially forced to use email or SMS based 2FA where, arguably, those are less secure compared to having a strong password on the original service. By less secure, I mean that those factors could be compromised in a way to access my account that completely bypasses my strong password. It's the same with requiring security questions and allowing access to the account via a well known answer to one or more of those questions.
How does it prove that?
And it works.
It's a bold choice of words, I acknowledge that. And the proof is only as strong as my abilities to write software.
This is yet another reason why Promise needs a movement behind it. To strengthen the proof. To strengthen security.
Just like the DNS can block users, Promise can ban users and relying parties.
This is not something Promise should take lightly, but the fact that almost everyone has a say in Promise, unlike Google, where almost no one has a say, makes me full of hope that this can be solved in a transparent way.
I think this would need serious widespread adoption until we saw benefits too. And you’d need some big names...like Google. Which probably will never happen.
I hate it, when I type my email and password (correct, that is), and get an error saying "You already have an account. You need to sign in". OK. But would you please just sign me in then. Everything you need is there.
So I chose to make it one. This might be more confusing than anything else... And I might be missing some other point for this to make more sense...
And yes, let's get that widespread adoption
Internet identity could maybe be a layered thing where one layer takes care of authentication, which is where Promise lives. The next layer could handle information like name and email. And finally a layer that handles your verified identity by an authority. That last layer is where the danish NemID fits in.
It's not exactly a SSO, though.
What makes OIDC a "non starter"?
I see OIDC as an implementation detail, and have no strong opinions about it.
Be aware that doing this now means your DNS provider and domain registrar become vectors for hackers to take over your email account, so make sure these are companies your trust and your access to these accounts is as secure as possible (ie strong unique passwords and app-based, not SMS-based two-factor authentication)
i will add that it's possible to create a google account WITHOUT gmail,
maybe that's sufficient for nest.
Hopefully signing my address up that way, when it's already a domain account, won't b0rk all sorts of other things :/
Obviously their sign-in/account infrastructure creates technical impediments against making their products do what they want. They should really fix that.
That's not to say you're wrong, but it would be a turnaround at this point.
Of course if you are worried about some nation state looking into your emails you should encrypt them and use whatever provider.
It even has special instructions about how to secure the domain registration and DNS accounts. :)
(Don't use G Suite, though.)
And indeed, your site does have a RSS feed, so what's with the e-mail address collecting? Rude!
But for someone like me, if I take all this advice, there is still the aspect of trusting the domain registrar, maintaining a personal email server, hosting, CloudFlare, etc. etc. I have just shifted some risk of offending Google to some other risks of 3x more companies that I have to remember how to deal with now.
So what difference does it mean to me, average user, that I just stick with Google and don't misbehave, versus open myself up to having to deal with 3 other manual processes and companies to remember? It's turtles all the way down.
You see the dilemma for the average user.
1) the front, if you so will - the emails which you give out and to which people (or algos) send you stuff
2) the back, where you receive and read your emails.
For many people, for example:
2) gmail.com web mailer, or gmail app on mobile, or native OS app on the computer
You suggest a complete revamp:
1) catchall at own domain: email@example.com
2) one (or several) protonmail/fastmail accounts
But it's worth highlighting that people can get many benefits already by
1) catchall at own domain: firstname.lastname@example.org (as you explained)
2) keep whatever you're using now.
Just forward 1) to 2). Then you can start handing out the new email.
If you found it valuable, you should submit it yourself. I'm not interested in the accumulation of updoots, feel free to get 'em. :)
I'd rather other people decide what subset of my writing is relevant to HN, as I'm no good at it: I'm too close to the work. (I only write about things I care a lot about.)
But the article is very well written and would be a shame if we didn't got other opinions here in HN, kudos for you, already added it to Pocket for later
Will try to get it rolling then
But why referring to Protonmail and using Fastmail for yourself?
The fact that FastMail might be subject to the new Australian crypto key escrow law is a little bit worrisome, and I may not continue to use them in the future depending on how that plays out.
For things where surveillance is less of an issue, I prefer being able to use a plain IMAP client, which ProtonMail does not support. Their current iOS client is pretty lame, for example (although their web client is better, and I understand that their next major release will improve things a lot across the board). I mention the IMAP issue in the article.
FM is saying it doesn’t affect them, as they are not a secure provider and can already give any information out upon lawful requests.
Do you disagree with that?
That in short, the A&A bill is about breaking end-to-end encryption, which Fastmail has never had anything to do with. It’s scary-sounding legislation, and I reckon it’s misguided at best, but it honestly doesn’t affect all that many businesses [note I’m saying businesses rather than people; many affected businesses will be among the largest ones, serving consumers], because end-to-end encryption of communications is uncommon, because it’s so frightfully inconvenient for all parties involved, because now the server is necessarily dumb and the client has to do a lot more work, and things like searching are typically just altogether broken because you’ll need the full index on the client to do a search.
(And specifically of the domain of email, I wouldn’t trust first-party encryption; if you care about governments accessing your data, first-party encryption such as ProtonMail offers is almost equivalent to no encryption if you can’t verify the code that is running, since that party may be compelled to backdoor the code to steal your password. This is one of the many reasons that Fastmail has never implemented PGP, ⅌ https://fastmail.blog/2016/12/10/why-we-dont-offer-pgp/.)
So your advice would be to go with Protonmail all the way, as you wrote it within your blog?
With your own Linux instance, you can host whatever you want, have full control, can host other services too like www, git, whatever, and have the assurance that you're not going to suddenly lose access because AI-BOT-204432 decided you violated some obscure terms of service. I've been doing this for close to a decade now (exim + dovecot for E-mail), and it works great. Back in the 90's, this used to be the default. How did we end up in this world where we so utterly rely on 3rd parties for such everyday critical Internet services?
The same way we ended up in a world where we so utterly rely on 3rd parties for such everyday critical services as growing our food and fixing our cars. There's too many things to do for everyone to do them all on their own.
For email? Because Google and Microsoft broke SMTP federation in the name of "anti-spam".
It's practically impossible to get Google, especially, to reliably deliver your email anymore if you aren't an actual email service provider.
I like GMail for their spam filtering power, and I honestly believe spam to be email's biggest weakness, and the reason people don't host their own. It certainly scares me, the thought of being flooded with thousands of spam emails daily, or the chance that my own emails would be falsely marked as spam since I'm not part of the major providers or because I did not configure it correctly. Don't know how this can be solved though, email itself is too permissive, and too "tweakable".
You can export all your email in a single .mbox file.
This might not work if your account is suspended, but if you set up email forwarding to an alternative address (e.g. to protonmail) that might still stay active so you can transition your addresses.
It also depends on the reason for the block - if for example they suspect you of having illegal content (child porn) in your Gmail, you aren't allowed to takeout it.
A balancing of rights exercise would need to be conducted by the controller to balance your right of access your personal data as against the identified risk to the third party that may be brought about by the disclosure of the information. The GDPR notes that these considerations should not result simply in a refusal to provide all relevant information, but the controller should endeavour to comply with the request insofar as possible whilst also ensuring adequate protection for the rights and freedoms of others.
I have very little hope indeed that they will let you do a takeout without finding a human to talk to when your account is locked.
For what it's worth, Facebook does let you do this. You login, get a message your account was banned for no apparent reason, and that you can download a copy of your data. Unfortunately it's broken (screenshot: https://dro.pm/a.png) but hey, there was an attempt.
How does that work when using an email client and connecting to the server and using SMTP and IMAP?
I'm not aware of two-factor authentication for SMTP or IMAP.
This could be achieved using a client side TLS certificate along with a username and password. I know that Postfix and Dovecot support it.
Pick a service that lets you use a long password and a security key (like Yubikey) or authenticator (Google, Authy) to log in.
Most services will then let you generate a specific password for an email client. I would assume that behind the scenes that the service is restricting what ports that password can be used on, etc.
Assuming it's a device accessing the service over IMAP and SMTP that can access multiple networks, restricting by IP and/or port won't really help. As I noted in my other reply, it's easy enough to script access to the account if have the password and there's no real association between the application and the credentials that are used for access.
I don't know your personal circumstances of course, different people may very reasonably make different calculations. But I have more trust in a quality registrar and my bank then in Google under the most likely scenarios where I'd still care (long comas aren't impossible to come out of, even multi-year, but chances of just partial recovery plummet after even a month or two let alone full recovery). I think Google being capricious or making a mistake is a bigger concern, if only because there is almost zero chance of recovering from it (basically have to know a well placed Googler or manage to go viral or be a big enough presence to get their attention). Domains and finance in contrast are both full of competition and portability.
$1,200 is a lot of money, but... anyone aged 23+ is older than Google. 17+ is older than GMail.
It is an illusion to say we know what will or will not happen to Google over the next 20 years. We don't know how entrenched the tech giants are over decades because we've never had anything like them before.
This is a problem that is obviously not going to happen in the next 12 months. But if a person don't control their email address, they shouldn't be using it for anything that it would really hurt to lose.
Realistically we have little control or have any clue on what's going to happen a few years out in almost every aspect of life.
Look at Kodak (the photography company). They were around for over a 100 years, then digital photography came along to disrupt their market and they pretty much disappeared in a few months.
Kodak and Google aren't that different as being a company that offers a service that tons of folks use(d). Kodak used to be "the" place to buy film and get photos developed.
I'm all for controlling your own email (even tho I'm guilty of not doing so), but I think even if you controlled your own email, you'll still be victim of the company you're using maybe going out of business in the future. I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.
Kodak was well aware of digital photography, arguably one of its pioneers. What killed Kodak was cellphones. Kodak was too dependent and attached to making cameras and camera-related equipment. Most people did not need separate cameras once cellphones came along (even the 'dumb' models have a camera), so Kodak had nothing relevant to sell... Doubtful Google could be so stupid. Maybe if the Feds separate gmail from Search there'll be problems?
>I wish nothing but success for Fastmail or any other email service that lets you control your email, but if they go down then you're in the same position as Google going down while using gmail.
Keeping all your mails locally is not difficult if you use a mail client rather than a web client. Copying to a local folder every once in a while is a one/two click operation in typical clients.
* The admin-user.
* The daily/real-user.
In my case I have my real account "steve@steve..", and "admin@steve" which is the gsuite administrator. I only login to make changes to the domain setup, never to send/receive email.
It's annoying to have to pay for that second user, but I feel happier with the privilege separation in place.
Edit: nevermind. I see you own the .net tld. I've definitely used that to order pizza too. Sorry about that.
(I moved from UK to Finland, so I checked the .fi version on a whim. Luckily it was due to expire a few months after I checked, so I setup a script to register it the moment it became available.)
Although very occasionally a service will check for MX records, but that is incredibly uncommon. My go-to email for public WiFi is email@example.com and have only been denied once (<1%)
A fair number of places will deny that, but I like to think it sends a message. I'm not sure how many, if any, domains still have a working webmaster@ address though.
I guess I should have started using firstname.lastname@example.org to make it all nice and neat, but I've no desire to change now.
I had an incident a few weeks ago, where my mailbox lost about 1 weeks worth of messages, and were not retrievable.
I have used them for over 5 years, and this is the only negative incident.
It seems like things should be more granular, such that being banned on YouTube doesn't make your thermostat quit working, ruin your phone contacts/photos/etc, or cut you off from your unspent AdWords funds.
"Google + Sidewalk: bring the dystopia of robo-support to the civil service!"
"Google + Sidewalk: Snowcrash was the blueprint, right?"
Accepting any domain as an OpenID IdP is not likely to be a feature of publicly facing sites, as they still provide the ability to create / register / use these accounts for spam and other unwanted abusive purposes.
With OpenID, basically everyone used a third party ID provider, and so you were just as dependent on that provider as with OAuth. Did you actually self host OpenID? If so, that’s a lot to ask of each person in the world. If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
If OAuth was never meant for signing in, then putting Auth in the name was a funny choice. You add the qualifier “websites who just want your mail or something”, but I’ve never seen a single mailing list sign up that used OAuth.
You could pay someone to host it with reasonable guarantees they won't delete your account on a whim and no recourse.
Or you can use a free service that you somewhat trust with your own domain, so you can point the domain to another provider if you need to. Almost no technical knowledge required for that.
> If you didn’t self host OpenID, I don’t think you had much “control of your online credentials or identity.”
Same for email, which is what identity relies on instead of OpenID.
And self-hosting OpenID is much easier than email: you just need domain + LAMP (or equivalent), and don't have to deal with DKIM, SPF, being blacklisted from Gmail/Hotmail, ...
Each user having to find a hosting provider and pay them... it seems like a non-starter. Think about the non-technical people in your life. That solution would only help the very few people who both understand the details of OpenID, and care about the possibility of losing account access at a deep level. Most people have other important stuff going on in life, so good luck convincing them to adopt self-hosted OpenID at greater cost (and effort) to themselves.
This is even assuming that the hosting provider also acts as a domain registrar so each person doesn’t also have to figure out how to buy and own a domain name, to truly own their OpenID, because that would either make this solution much less meaningful in terms of control (with no custom domain), or make it that much harder.
> Same for email, which is what identity relies on instead of OpenID.
I’m not here to argue for self hosted email. There are many email hosting providers that make it relatively easy for you to bring your own domain name... but this is irrelevant. Signing in with an email and password continues to work even if the email account has been suspended. So, it’s not the existential threat that the article is concerned about.
I think the more realistic solution for users is the new FIDO2 standard that will hopefully see adoption soon.
I think Google has done a similar thing on Android, but Apple has for sure made every (up to date) iPhone, iPad, and Mac able to act as a FIDO2 Platform Authenticator.
Even if the user signs up via OAUTH, websites can give the user the choice to sign in via FIDO2 on each device. At that point, users could sign in from those devices even if their Google account were suspended, giving the website a chance to help the user migrate their account authentication.
The FIDO2 flows seem very user friendly, but... the standard is so new, broad adoption remains to be seen.
Neither Google, Facebook nor any of the other major Internet sites where ever going to allow you to authenticate using a 3rd party.
Adoption was negligible so they eventually killed it.
While it's easy to blame big technology companies for the failure of open standards, there might be other reasons behind it (as well as companies trying to prevent it from succeeding)
Why would anyone bother with that hassle when you can just put in your email address (that you already have & know) and a password.
In contrast, OAuth succeeded because most people already have a Facebook / Gmail / Github account, which meant that sign up just becomes clicking a single button which is easier than email signup.
OpenID was more difficult than email signup, whereas OAuth is easier.
If successful, this would impose a cost to Google for shutting down accounts capriciously and incentivize them to do better.
This would be a challenging lawsuit to win. You’d probably need support from an organization like EFF to manage it.
At one point I was signed up in over 300 places using my Google account. Eventually the thought occurred to me, "what happens if I get locked out of this account?" And I don't really mean shutting it down. I lost a Microsoft account with over $3000 worth of purchases and 10 years of history, because I lost access to the recovery email address it used. So since then I've made sure to "spread the risk" so to speak.
Through 2 years of effort it is now only a handful. Some of them remain because either a) there's no other way to sign up or b) there's no way to convert it to an email based account.
But still - that's 2 years. 2 years of weekly, sometimes daily, moving yet another thing off that login (but it still uses the email! that's the next step -- kill the email).
The level of effort has been gargantuan. For some people, it would simply never ever happen. To lose a Google account would not only be damaging, it would be like your entire life being erased.
The level of damage here is enormous and Google has to take responsibility for the power it has amassed.
If they want to terminate all free accounts, it'd be a wonderful thing. Either people would finally be free of the behemoth, or Google's incentives would change to finally care about users (well.... hopefully).
PS: I did not do anything wrong but still suffered lot of psychological pain due to this mistake by Amazon's internal security.
We saw this recently with "Sign in with Apple" and Epic Games, where Apple denied access to Epic and the accounts that did not share their actual email were effectively lost.
> Apple previously stated they would terminate “Sign In with Apple” support for Epic Games accounts after September 11, 2020, but today provided an indefinite extension.
I suppose you, as a site operator, are doing all you can do, though.
They probably put a human to communicate with you, verify some identity and then give you access to your servers again, I'm sure?
Compare that with Google (and Facebook, those are the two I have experience with) who will simply lock you out of your account and if you ask for help, they say they cannot. "But what about the three years of photos I've stored?" I asked. "They have now been deleted since your account was terminated" they told me. "Why?" "We cannot tell you".
I think the conclusion of the article is flawed. I think the risk of getting locked out is far lower than the odds of any single, or even all of, other (non-major tech co) website you might join getting breached. It's fair to argue the impact might be less also - and I'm happy to have this debate.
In my experience, typical users aren't the ones that get their google accounts banned - they are always banned for doing something significantly more sophisticated.
Yes, I need to move away from gmail...
If Google can, without due process and fair warning, remove your existence then this is a power that should be delegated to the relevant authority, namely the "justice" system to make such considerations.
If your house could be removed at a whim because a bot decided you were a bad person it would likely cause an uproar, it wouldn't be tolerated.
Yet here it is. Google can offer their services and the legal system seemingly doesn't want to be involved.
So yes, right now we've woken up in a world that is not so much cyberpunk as it is techno-feudalism: more and more do you need a presence on the Internet to do things in meatspace... And that presence is by the grace of several feudal lords (Google foremost) - woe betide you should you ever displease them. You do not really own your email adres, your phone (number) or (pretty soon) even your computer. You're merely a serf.
On the plus side, the momentum for legal measurements seems to be increasing. Let's hope they do get broken up. Power, like plutonium, is dangerous if too concentrated. Regardless of where that concentration lies.
We need to treat companies that put themselves into a position like utilities as utilities. Give individuals actual transparency of why actions where taken, and an ability to appeal these decisions with transparency.
It will cost more, but that is ok. What we have now is that the actions have caused real harm and the companies are unwilling to justify them. That's an abuse that needs to be removed through law.
The hard slap they got from the government was enough to apparently permanently change the company culture around treatment of users and other businesses.
I see a lot of the excesses we see coming out of Google, Twitter, FB, to be a consequence of there being, well, zero consequences for their behavior. They're like petulant children who never learned limits and think it's ok to do whatever they want, no matter who they hurt. That's exactly how you teach children -- give them limits. Ironically, the same rule applies to adults.
In general, I think that's also a point we can draw from the cyberpunk genre, or maybe from Harry Harrison's old-school prefiguration of it in the Stainless Steel Rat series - the eponymous creature being one well suited to thrive "within the walls" of a society increasingly sclerotized with technocratic bureaucracy, but perhaps equally suited to a life of gnawing through the circumscriptions imposed by competing technofeudalist fiefdoms.
I view my digital purchases as things I am forever renting.
Movies/Music/Books can be displayed and played back on damn near anything. Games, especially modern games, exist in both a variable state (constantly revised/updated), but also with a much more limited ability to access the content.
That experience forever turned me off to relying on digital-only.
To your points, having a PSN account is necessary but I can always create a new one if need be.
Whenever possible, I prioritize non-DRM media for purchase.
I don’t think they’re really interested in that, since the accounts are almost by definition making them a bunch of money.
So, not an Amazon account ban, but you quickly learn you are not "buying" a movie, but renting it, sometimes with silly restrictions like "only from these IPs".
It’s still a concern because of the mechanics of the thing, but it appears less applicable for amazon at the moment.
If you think about it, this shouldn't be all that surprising - after all, this is exactly how intuition works, and the human mind runs very much on intuition, people just don't realize it (at the object level).
Not that that's Nintendo's fault but I think something like this will be the fate of every account that's not used, closed or deleted for a long time and owning your data and software possessions would protect against it.
I run my own mail server but my VPS provider could be coerced to yank it from me. You’ve made me uncomfortable with revelations. Damn, we’re fucked.
 Every person's thinking and writing is mostly just a pastiche stitched together of thoughts they heard or read from others anyway. (And this is, of course, the meme idea, which is not an original idea itself either)
I've got two comments on this.
Firstly, you're already doing much better than most people. Make frequent backups, and if it comes down to it, you can always point DNS at a new provider.
Second, don't put anything on a VPS that you aren't willing to let the VPS provider or whatever Gov. has jurisdiction access. Where email falls on that spectrum for you is of course your own decision.
But in every society a small circle of privileged people have always been the norm and despite more wider access to information today it seems like consolidation of power and wealth seems to be trending upward.
But even a little plutonium is too dangerous to let my kid play with it.
Email? Not quite as much.
The answer is actually very simple: spam.
AFAIK pretty much all disabled Google accounts come from Google believing they are part of a spam-sending (or malware-spreading) network.
The ability to sign up for free Google accounts means this is a prime target for spammers to use and abuse -- signing up for free Gmail/Drive accounts, as well as using stolen credit cars to sign up for paid ones.
As to why the legal system doesn't want to be involved, it's because incorrectly disabled Google accounts are actually incredibly rare -- they make the news and cause uproar when they occur, but precisely because it's so unusual -- it's incredibly rare to personally know someone it happened to. So there isn't any kind of democratic movement against it because in the grand scheme of things it isn't common. It's like worrying about being struck by lightning.
I don't know anyone who has a degree in History but that doesn't mean historians are especially unusual. All it means is that my network is quite small.
The same is true here. The fact few people know someone who has been affected by this problem doesn't mean the problem is unusual. It just means there are hundreds of millions of people who use Google and you know a few thousand at most.
So... incredibly rare, really.
The extremely large majority of people go on to work regular jobs that have nothing to do with their degree and lose much of the information they learned, if it was even substantial at all.
Or they rarely make the news because they're so common, and the few that get publicised are because the victim raises a big stink on social media.
I've certainly created Twitter and Microsoft accounts and had them wrongly disabled within days, despite not doing anything at all with them, let alone anything abusive. Perhaps because I decline to use my cell phone number for 2FA?
That's because that's also a common tactic used by spammers -- to register and then do nothing for days/months, on the hopes that an "older" account will be less suspicious.
Nobody's complaining about that though because it's not a problem. No data is lost. Also, I've had it happen to myself (with Twitter) and it was incredibly easy to re-instate.
To clarify, I was referring to legitimate, in-use (with data to lose) accounts being incorrectly disabled.
The ones that make the news are people that are either well known, or have and active way to promote their problems through social media or news site
I.e they are reporters, know a reporter, dev of a popular app, etc etc etc
They are Jane/John Doe that has less than 50 twitter followers and a normal every day uninteresting person, for which there is no recourse at all not even social media
If lightning strikes there is not much to be done. Google however can and must have reasonable process to restore the status.
I'd suggest its because its hard to prove or prosecute. Because its technical and obscure. A single case, Google just has to say "Oh sorry; its turned back on". There's no money in them capitulating. And a class-action suit enters into the details of the issue, which are impenetrable to a judge?
That approach: “proof of human work.” Google owns ReCAPTCHA, and every time you do a ReCAPTCHA for Google, you’re doing a little one-time proof-of-humanity for them. But it’s also a proof-of-work; and proofs-of-work that cannot be automated are aggregatable.
In other words, the fact that someone with Google account X solved a ReCAPTCHA, doesn’t just tell you something about who that account is lately. It should add to a sort of “human-proof credit score” for the account, where Google’s systems are more willing to put faith in the user because of all the times they’ve proven themselves human already.
And, for some scenarios, Google does use the aggregate proof ReCAPTCHA represents this way. This is why you’ll never see the Google Search “stop searching so fast” message when accessing Search through Chrome synced to a well-used Google account; why you’ll get a ReCAPTCHA portal from them instead if you’re not logged in (you’re being asked to build the credit score of your IP/session); and why you’ll be denied upfront if you perform botlike behavior through Tor (where there’s nothing that can be correlated to give you a persistent credit score.)
Now, such a “highly-proven” Google account could still be heuristically detected elsewhere in Google’s systems as being responsible for botlike behavior (e.g. spamming); but, when such a highly-proven account is flagged, it should go in for manual review. Because — as you say — this is incredibly rare! So this process doesn’t need to scale through automation, the way regular Google processes do. It can be high-touch.
But right now, it’s not. (Or they’re just not even using the high-proof-of-humanity metadata on the account during this determination.) Either way, that’s kind of silly.
When I got started programming full time, tons of people in the software industry were getting their rocks off on how simple it is to install an Oauth library, making it easy as pie for people to sign in to a web service, thus encouraging more sign ups and making more money.
Maybe we've forgotten just how much of a hard-on we and the entire world once had for the likes of Google. 8 years ago, we would have trusted Google with our entire future. Politicians were on board, too, and have made many deals with Silicon Valley which ended up giving these firms a certain level of immunity.
We're all guilty.
Never in my life did I see an Oauth libruary and think this is easy as pie. Overcomplicated perhaps.
Plus that email/account is hardly even "yours" in a serious way. Anyone on the HN has a very simple fix for all these problems: get an email in your domain and a password manager for all the accounts. There, solved. You could even still use Gmail with their Google Apps, G Suite, Workplace or whatever it's called this month.
Normies are way out of luck but sadly that is true almost everywhere and they are getting fleeced much worse by banks, employers, and even cable companies than Google ever could hope.
If someone owned a vast amount of land, more than needed for everyone on earth to build a house, and the owner told people they could freely build structures but you lose it if you break the rules and the rules can change any time...
On the technical side, one hears about individuals' domains being marked (blamelessly) as possible-spammers by the big e-mail services, and finding it hard to get messages through. There is effectively some scarcity in legible, desirable gmail addresses.
Maybe it has hurt me somehow but...I wouldn’t want to work somewhere that would hold my email domain against me
If you cant pay your rent because no customer can reach you anymore or loose trust in you (because you don't answer) your house is gone shorter than you think.
Seems like there's an opportunity there though. If someone could create a platform that would take your address, create you a custom domain, set it up, get your email flowing there (including porting over all your existing email out of gmail), and then helping you move your sign ins to that new address..
That'd be huge. It would also be very, very hard, the amount of infrastructure it would touch.. but doable.
it would likely cause an uproar,
it wouldn't be tolerated.
Big fat article in the New York Times some months ago about AI deciding that landlords shouldn’t rent to certain people, and the AI often being wrong. Very wrong. Like tagging someone as a convicted drug dealer, when the reality is that person has never been in trouble with the law, and never been to the state where the alleged offense supposedly happened.
We have to stop calling this “artificial intelligence,” because it simply is not intelligent. Humans put faith in machines because were told they are intelligent. But all the evidence shows that at best “AI” is good at guessing.
If we started calling these “artificial guessing” systems, people would treat them appropriately. But that doesn’t buy investors a boat.
Google fills the gap.
This political model is dated. Republicans are no longer conservative. And Democrats have an ascendant progressive wing that rejects corporate influence wholesale.
Who mostly organise and communicate on giant social media platforms, who they campaign to fact-check things. Not exactly wholesale rejection.
The real question is why do people use Google to sign in to other services? It never even crossed my mind no matter how long I have had a Google account.
It’s also trivial to have passwords which are secure and easy to remember (literally off the top of my head): MyD0gb@rk$...
... you have clearly not understood that you should not have trusted them in the first place.
Yes, I have a Google account myself, but I try to use it as little as possible. My main reason for using it is the Play Store and I agree that it is unjust, that Google can remove my access to products I have paid for without really justifying for it in the sense of most people.
So I agree that something should be done. I think the line should be where paid services are offered. So if you just use a free service, Google(or any Company) should be able to stop providing you with that service whenever they like (while still providing you with access to the data you have generated or used with the service).
However, as soon as they have charged you, they should be forced to pay you back the whole amount (or offer some other kind of mediation that is more meaningful than receiving answers like 'Computer says no').
If you are using a free e-mail service ran buy one the worlds largest and most powerful marketing companies as the identity / auth provider for your critical services and applications you should seriously reconsider your choice.
To paraphrase your comment: I'm honestly not sure where we went so wrong as a society so as to reach a point that we get mad when a service we do not pay for, ran by a selfish company decides to shutdown our access.
Edit: The point is that it is usually in companies own interest that we don't create laws restricting them, so they typically don't act too amoral. You wont find many companies which goes after every single legal loophole they can abuse, as negative public sentiment builds up laws will form and the company will be much worse off than if they just did the slightly less amoral thing.
The de facto monopoly of most of these players exists in their cross-border market share, making enforcement under traditional antitrust law in any one country difficult.
Unfortunately, it's also something of an international zero sum game due to efficiences of scale -- if the US breaks up Amazon, Alibaba gains world market share, and we're back in the same place.
The most effective remedy I can think of offhand is government involvement in a special, independent branch of the company, dedicated to increasing interoperability and exposing services, empowered by legislation.
If we're going to have monopolies, at least they can be open ones. E.g. 18F + Google Takeout, backed up by regulation
As with all things, Education is where we went wrong as a society.
in this case failing to teach people fully that there is no Free Lunch, and if you are getting something no cost to you, then you are no longer the customer, who ever is paying for the good or service is the customer (people should also pay attention to this truism in other area's of life)
In the case of google, you are the product, you are being sold to advertisers, google gives you a very very very small piece of that revenue in the form of a "free service"
The stakes are quite high for losing access to your primary email.
(Roughly. I am not a lawyer.)
Less likely here, given the somewhat unexplored territory, but still, the history of class-action litigation evolution is largely of lawyers/firms taking a chance such as this.
I think the overall point here is to have the support of law that says they DO have a duty to you, by benefit of their hosting your account and authenticating you elsewhere.
Then, WHEN someone goes to sue them, the person has much stronger legs in court rather than lone Peggy Sue trying to defeat Google's 300-strong team of lawyers who exist just to eat little guys for breakfast.
At every point, google users are asked to acknowledge the EULA and TOS. They're being told that google can stop their service for any reason, including that service not being comercially viable. ( I.E. Any Reason )
Access to google services isn't a right. It never was, unlike the property rights you're drawing a false equivalency with.
This pandemic has been reliant on emails to access services; it's how I get my payslips, talk to my employer, get current information, engage with legal services, and essentially maintain my access to society.
Losing my emails would be devastating (hence why I don't use a "major" provider, at least less risk that way).
We need to define what "rights" are and weigh that interest in society. If Google wants to be a "one stop shop" it cannot, and must not, be immune to laws and the rights of individuals to challenge decisions.
Isn't that the foundation of a society?
I have a google account to test my devices / emulators. Never logged in gmail with that account, never will. If they cut it off, I can make another.
Same with Apple. I have an Apple free ID for running virtual machines with MacOS / iOS and that's all. I tell my customers to create their own Apple ID and I deliver them the sources + dev environment and they make their own binaries and publish on Apple store. My job is done once I make the app run on emulators and I tell them from the start of the project this.
I have a FB account to talk on FB mess with parents from school and that's all. I don't even have them as friends there, I am just in 3 lists and that's all.
Also i use protonmail currently as I've started migrating from yahoo 2 years ago (old e-mails still there, I open that e-mail like once per month).
Do the same, you'll be free. Also you can use an e-mail account outside of google domain to actually create a google account, if you really need one.
This was to work on an API integration.
It absolutely is a problem for a large amount of people.
> Do the same, you'll be free
The vast majority of people in the world are not taking the same actions as you are. Therefore this is a large problem for many many people.
Better education for how digital services work and how to properly handle your digital identity is the right way to handle this. Implementing regulation and cementing the "major" e-mail providers who have the resources to comply will only deepen people's dependence on these corporations.
Do I have 15 emails addresses with 15 different providers? When a form asks for my email address I can only give one, what happens if that provider goes away?
What if a government doesn't like $provider and seizes the business? Now I can't get a reset link/change my password/prove my identity...Many government online services ask for your email these days, so you don't really have much control over that. If you said I am email@example.com and blogs.com dies, you're toast.
Please do explain.
If your email provider goes away, you're screwed. Nobody accounts for this situation. Doubly so when you used an identity provider that has gone bust.
The question is, how do YOU imagine imposing regulations on mail providers will change anything in a case like this?
Store your credentials, make backups of your emails, don't use identity systems. If things really do go bust, you'll retain access until you can get manual changes made to your accounts.
The other obvious solution is to have identity/e-mail built-in as part of citizenship and be gauranteed by your government.
If you want to solve this problem you have to spend some money somewhere otherwise you are simply demanding providers give you services, for free, forever, not something that seems realistic?
In the worst case scenario you'd have time to setup a new domain and move everything over. Annoying yes, but again extraordinarily rare.
As email's importance approaches a utility like physical postal service it's reasonable to expect some regulation. So long as the regulation is independently developed and balances the needs of consumers and producers then it shouldn't be too burdensome for competition to exist.
In the worst case taxes could pay out to whichever provider one chooses.
I’m not saying it’s an unworthy cause to advocate a change but I’m just not seeing the moral weight compared to factory farming, and other hard industries that have an effect on societies and the planet.
Email ends up being the form of online identity for a lot of people, myself included, so that almost every service that I sign for has my email address as ID. If that email address isn't the ID, it's the preferred way of resetting passwords. I wouldn't be super happy about Facebook being my online ID, nor my cell phone number (see SIM swapping problems).
It's life changing in the same way that losing all your personal documents in a fire sets you up accounting nightmares. Moreover, you're making very light a situation about losing all your pictures. I'm not talking about food pictures, but there's plenty of "me" that's contained in being able to look at pictures of important events of my life (which is why I don't rely only on cloud backups for that).
I don't know what's "life changing" to you, then.
Should I diversify? Probably, but that's more things to secure and keep track of.