1. Unless Google can roll this out in a short timeframe to all their properties with 100% reliability, it's basically useless. If half of their login screens don't have it, there's no way for a consumer to tell the difference between a hacked site and a legitimate malfunction (such as a cleared cache, or fresh computer installation). Luckily, Google's web logins are already centralized, but people also log into Chrome, their Android devices, etc.
2. You can never remove the customization. You better be sure you want to support custom images forever, because you are committing to a promise: your customers' login screens will look exactly the same from now on. The only way to migrate away from it is to bite the bullet and deal with a ton of people who think that their browser or Google has been hacked because it's missing their custom picture.
That's too much commitment to a stopgap measure for a password form that Google wants to obsolete anyways. They'd rather have you authenticate to your browser or via a device anyways, long term.
> You can never remove the customization.
2. Google can just announce they are moving away from the customized login page on their login page. The customized login page is trusted so the new information is trusted.
The customization can be framed as an extra security measure that power users who want to protect themselves from phishing attacks can setup on their home computer. Similar to the way google rolled out two-factor authentication.
>They'd rather have you authenticate to your browser or via a device anyways, long term.
Long term this is right login screens will move off of the browser, but security must be concerned about the now. Note that phishing still presents a risk on mobile device login screens. As long as your security depends on something you know, phishing attacks will be relevant, and client-side identification of trust will still be relevant.
You can set a custom image and apply some simple style tweaks to the sign-in box on the login page. Here's mine:
Enter your username and click "go"
Step 2: you are presented with a image you have chosen before- If the image matches, you enter your password and click continue
USBank.com does this, try it by typing in a random name, like cstevens - Notice how it doesnt accept a user + pass on the same screen
This proposal is better in the sense that the correct image is cached locally and protected by the browser's local storage origin policy.
Now, you still need some other element to authenticate the user when they visit a website from a new device/browser, but this would mean that you don't have long term cookies that serve the same role and are therefore more extractable over the wire (as we've seen in the past) and would negate these type of attacks.
Also, the tech exists in browsers today already, many SSL registrars already do it.
No need for an attacker, I do wipe them at will. Every time I close the browser.
device = browser profile, aka for two browsers on the same machine you need two authentication tokens. Same goes for the same browser with two profiles.