There are a lot of people here suggesting that Google's SSO should be avoided.
Those people are wrong.
If your email address ends in @gmail.com, then you don't control it, and have committed to tying your identity to Google's whims. And that's okay!
There are certainly some issues with Google unilaterally blocking access to accounts, but (1) this is extremely rare and (2) honestly, you're screwed even if you're using a password manager in that case.
Why? Because "password reset" is effectively SSO tied to your email address. It's just less secure and harder to use.
Seriously – under the covers, OAuth and other SSO flows are virtually the same as the process of opening an email and clicking on the link, except that they've been vetted by security researchers where "reset password" emails are almost never actually secure.
Password managers, for the vast majority of people, are confusing, unreliable, and even dangerous. Backups are hard to manage, and people often get it wrong. Forget your GMail password? Google will accept government ID and get you back in. Forget your password manager's password? Too bad, you're out of luck. The latter is vastly more common than Google blocking people and refusing to let them back in.
To be fair to HN, there are a few good points in the responses here:
- @linsomniac does raise the good point that you're likely to need a password manager in any event, since some sites don't support SSO.
- @jaywalk points out that if you have an email address on a domain that you own, you're not dependent on Google in case they refuse you service. It's worth noting that in this scenario, using Google's SSO is still fine – if they lock you out, you can still access any accounts you used SSO to sign in to by using password reset. I have yet to see a site that doesn't allow switching from SSO to using a password.
One thing to add is that you should never use Twitter or Facebook SSO; if you do, and get locked out of (or want to delete) your account on either service, there's no recourse whatsoever, and there's no way to switch to a password because your account often isn't tied to an email address if you go with Sign-in with Facebook. Same goes for LinkedIn and other similar "Social Sign In" systems.
This is a surprise to absolutely no-one. That client keys & secrets were semi-public knowledge was obvious years ago, before I started working on OAuth at a much younger Twitter. The client key and secret is a rough trust metric for clients that are distributed publicly. Twitter can distribute new clients with new more-hidden secrets, and gain a bit more trust, for a while.
The place where the client id and secret actually offer real security is in the hosted scenario, where the secret is never distributed outside a trusted environment. Anyone who tells you different is wrong. The same applies to every single copy protection scheme (SSL/TLS, HDCP, DVD Region Coding, etc, etc, etc) and barring some mathematical breakthrough, this will always be true.
This is remarkable, even to me. The main point: if you're doing a startup, things take a long time. Longer than you'd expect. And overnight success is anything but.
That's actually kind of a relief, especially considering all the news you hear about 10000 users in 72 hours, it seems like if you don't explode onto the scene you're a failure.
Mind you, these aren't paying clients or anything, just a 160 twitter accounts. At the time you had to have it created FROM a mobile phone, so the onboarding process was clunky. We were showing it to our friends, tell them how cool it was. A team of 10, with 3 months to pressure their friends and family in to using the service, got 160 users.
Those people are wrong.
If your email address ends in @gmail.com, then you don't control it, and have committed to tying your identity to Google's whims. And that's okay!
There are certainly some issues with Google unilaterally blocking access to accounts, but (1) this is extremely rare and (2) honestly, you're screwed even if you're using a password manager in that case.
Why? Because "password reset" is effectively SSO tied to your email address. It's just less secure and harder to use.
Seriously – under the covers, OAuth and other SSO flows are virtually the same as the process of opening an email and clicking on the link, except that they've been vetted by security researchers where "reset password" emails are almost never actually secure.
Password managers, for the vast majority of people, are confusing, unreliable, and even dangerous. Backups are hard to manage, and people often get it wrong. Forget your GMail password? Google will accept government ID and get you back in. Forget your password manager's password? Too bad, you're out of luck. The latter is vastly more common than Google blocking people and refusing to let them back in.
To be fair to HN, there are a few good points in the responses here:
- @linsomniac does raise the good point that you're likely to need a password manager in any event, since some sites don't support SSO.
- @jaywalk points out that if you have an email address on a domain that you own, you're not dependent on Google in case they refuse you service. It's worth noting that in this scenario, using Google's SSO is still fine – if they lock you out, you can still access any accounts you used SSO to sign in to by using password reset. I have yet to see a site that doesn't allow switching from SSO to using a password.
One thing to add is that you should never use Twitter or Facebook SSO; if you do, and get locked out of (or want to delete) your account on either service, there's no recourse whatsoever, and there's no way to switch to a password because your account often isn't tied to an email address if you go with Sign-in with Facebook. Same goes for LinkedIn and other similar "Social Sign In" systems.