I trust Google login and oAuth to be protected with better security practices than the general login. AdSense and other cookies means they probably know where you have an account regardless of if you login. I like that "Sign in with Google" allows me to not make another login and password. For certain sites, after using "Sign in with Google", they have made me make a local account anyway as backup. I don't think a generalization like "don't ever do this" is helpful.
I am curious why you say blocked accounts happens regularly. I have heard of it happening to people, but not often.
What will you do if Google decides you’ve broken some terms of service and you lose access to gmail and all other Google resources? You are giving them the power to disable access to non-Google websites. And you’re ok with that?
HN is littered with people who’ve experienced Google bans. An article hits the front page about it seemingly monthly (and those are only the ones that get publicized). It happens again and again. You have no recourse. There is no one to call. There is never an explanation.
I’m not here to convince you. To each his own. If you dont care about the privacy leaks, then surely you can overlook the risk of losing access to your non-Google accounts whenever Google decides.
>You are giving them the power to disable access to non-Google websites. And you’re ok with that?
I dont care.
The only services important for me are: bank, email and hosting. Losing my gh would suck but it is not serious
The rest of services I treat as "nice to have"
My accounts on them are irrelevant for me. Losing account on random forum, random game, some streaming platform wouldnt change my life. I would just create a new one.
Sure, for the few sites I care deeply about a long history with, a unique account might be worth it. Those sites are few and far between.
My password manager has more than 500 entries. A huge majority are sites I used once and never again. I don't want an account there but was probably required to create one to check out. If Google deleted them they'd be doing me a favor. Google knows I went to those sites anyway since I probably found them through search results.
> I trust Google login and oAuth to be protected with better security practices than the general login.
It's not about security. It's about that the oAuth protocol relies on good faith providers. Google is demonstrably not a good faith provider in terms of tracking. Part of oAuth includes refreshing that token and validating it with the provider.
> I am curious why you say blocked accounts happens regularly.
As for the blocked accounts bit, it's not so much the frequency that matters. It's that Google has zero and I mean literally zero humans to contact if their security machine flags your account for something. Their appeals process is a joke and a bad one at that.
Next, load up the Googler and search Twitter and Reddit for the same thing. There's a lot of occurrences, horror stories, and news articles about it. Google does not care about addressing this.
There are still cases where individuals' accounts get banned randomly (and if there's enough ruckus, reinstated), which I've posted about there. And thinking about it, it might be the case that developer accounts with $$$ invested in them might just be the most likely to post on HN and complain, while individuals just suffer Google's "support" and give up. In any case, they're not as easily visible as the dev account bans, so we don't know how often they occur (unless someone trawls through support.google.com posts and creates a list of such).
The place you would find such stories are the google forums where google and their volunteers have a vested interest in pruning such complaints.
Most normies don’t get locked out because they don’t use 2fa, don’t change devices and use a single easy to remember (probably easily guessable) password for every account.
Getting locked out of google is most likely the result of using security best practices like installing a 2fa app on a device that gets lost. Or a misplaced yubi key, etc…
Good advice is to print out one time use codes, and store them somewhere safe, like a safe. Physical security is much better in a digital world than digital security.
Perhaps my anecdote is not as strong because I got locked out rather than blocked out, but it still was inconvenient. I degoogled my life some time ago, long enough to have a new phone and computer. At a point I needed to log into my old gmail acct, and I couldn't because it was a new device, the old devices were gone to verify my identity, and knowing my password and passing several captchas wasn't enough. Months later I went to log into fb/ig for something and similarly wasn't allowed in and also don't have access to my gmail for verification. Luckily during my degoogling adventure, I had changed the email for all important accts, so the impact is minimal, but I would not like to imagine the impact if I had ever relied on oAuth
The question of how large the risk is that Google or whoever you pick for SSO will lock you out over some misunderstanding around TOS is the main one I see upthread, and is pretty tricky. I'm working on follow-up post that gets into this question.
I think avoiding the situation you ran into, however, is a very different question. How likely you are to get locked out for security reasons depends a lot on what security configuration you choose. The big risk here is that you set up 2FA and then lose access to your second factor. If someone were to follow the approach I advocate in the post, of always maintaining three registered security keys and adding a new one if you lose an old one, I think the risk of a security lockout ends up being super low.
I feel a little more comfortable relying on oAuth because I have my 2FA secrets backed up. This story does make me reconsider and want to revisit how I manage certain services. I don't know if there's a reasonable self hosted alternative to all the google services I use. I even have a Google Voice account I've had for over 12 years now, I feel like that'd help if I ever do get locked out. I try my best to practice good account security hygiene. I already have multiple backup accounts, for email but also in terms of recovery emails for third party accounts too. But I appreciate your story.
When you visit a site, details about your device are sent to the webserver, such as screen dimentions and resolution, processors, gyroscope information (orientation of screen), location, default language, and more, so the website can cater to you - rendering it to a good fit for your screen, using a protocol that works with your GPU, with relevant ads, etc. This data is called your digital fingerprint.
Companies that deal with high security data (banks), advertising profiles (google), or bot abuse (everyone), will store the fingerprints to every device used by you on their webservers, so they know if it is a new device and to throw a captcha, 2FA, etc. I refuse to give out my number to most sites, which is sometimes the only 2FA option, so for most of my stuff, I just don't use 2FA.
Despite knowing my password and passing 5+ captchas, having a different fingerprint and not having 2FA was too much for gmail and it decided I was still not verifiable. Idk if they decided I was a user in constant attack or something, but even when I had the old laptop they were always slow to accept that I must be me, making me fill capchas everytime and reinput my password.
I just realized you are the author! That explains your curiousity, and I'll get into the nitty gritty details.
A part of my previous comment isn't clear: when I say I didnt have 2FA, I meant I didnt have it enabled at all, not that I had it enabled and lost access to it.
Also I was thinking about it more, why google was always suspicious of my log ins, even before I was locked out. I remembered that my settings back then deleted cookies upon browser close, blocked 3rd party cookies and pixel trackers, but because my fingerprint matched, it appeared to google that I was on a different but similar device at every log in.
When you know you password, pass the captcha, but google still doesn't trust you and you don't have 2FA, google pings every device you have that is signed into it that is on, asking you to verify that you are trying to log in on a different device. I know this well because I had to click "Yes, it's me" on my phone every time I logged into any google service on my old laptop. So that's what I meant when I didn't have my devices to confirm me. It's googles 2FA for people who don't enable it. When I degoogled, I stayed that way even till I had replaced my phone (same cell #, new device, not signed into any google service) and so google didn't recognize anything, couldn't ping me, and so it decided to just not let me in.
To your question about getting back on, yes. It was awhile ago so idr what I did, but if I had to guess, I used a family members laptop that I used at some point so it had the fingerprint and cookies, and I had my password am the ability to pass captcha. Then I could verify my new laptop from there. Google still has trust issues with my laptop now that I'm even more locked down on website/browser permissions, so I have another browser with custom settings that I use so google doesn't get upset and lets me use their services when I occassionally need them. They still don't have my number and never signed into from my phone.
Btw I like your article. I think you provided good tips for the causal internet user. I am curious when the day will come when phishers spoof the oAuth though. Personally I believe in security through obscurity, but to be obscure also means there can't be a streamline solution. So whatever fits each persons needs I guess.
Just generic spoofing. Like you pointed out watching for google.com.evil instead of google.com, and theres also email phishing where they try to replicate a companies email and get you to click links, etc. Theres so many ways to spoof things, and I can't imagine it being impossible to spoof oAuth. It wouldn't affect people with 2FA enabled, but for the majority of users with poor security practices or are not tech-savy it would do harm.
Just off the top of my head I can think of one possible way: Send an email pretending to be a popular company, with some excuse to need an oAuth (like "Your oAuth for ImportantApp is expiring, please renew access. Act fast so you don't lose access to ImportantFeature!" Or "Our policies are changing. Please confirm oAuth to authenticate your acceptance to continue using ImportantApp") It doesnt need to be fancy, just enough to fool people who don't know that oAuth is not relevant to the email. Then they click a link in the spoofed email to the host server, with a spoofed copy of the target website. oAuth isnt going to suggest the credentials because the url is wrong, so don't ask for the credentials to the target website. Instead ask them to verify access of the website on your fake oAuth, then to confirm your decision with their gmail password. Then say it worked and redirect them to the real site. You already have their email, but now their email password as well. Automate this with bots, and then you have tons of peoples 2FA, since most peoples 2FA for website log ins is their email. Next you just do the "I forgot my username" which always asks for an associated email. Then "I forgot my password" which, on unsecure sites, also uses the email. Boom. Free accounts.
Obviously there are ways to secure yourself from any basic attack like the one I just described, but for the general public that trusts tech to be flawless without their concerted effort, traps are just a matter of someone with time and motivation to make them. No trap is flawless, but there are enough people for that to not matter.
Blocked google account is one of those things like not having regular backups, you'll realize how bad it is when it will happen, even once in your lifetime.
I am curious why you say blocked accounts happens regularly. I have heard of it happening to people, but not often.