Don't Sign in with Google

73 points by DeusExMachina 2 days ago | 14 comments

CM30 2 days ago |

Yeah, Google's lack of support is notorious at this point. It's why just about any YouTuber who gets their account hacked is reduced to begging for help on Twitter, since there seems to be no-one at the company able to help directly if contacted from the site itself.

Does make me think that there should be regulations about support to prevent this sort of thing though. Maybe at the very least there should be a mandated reason for banning/deleting an account and an appeal process with an actual person on the other end. Yes people might use it to figure out how to 'abuse' the system. But that's life. We don't hide the laws so the only way people know what's legal and what isn't is to get arrested for breaking them.

I do wonder what the solution to number 3 is though. Feels like an issue with services using Google login, not Google itself. If you registered with an email and that domain expired, someone could also reset the password for much the same effect. Short of Slack and the like asking you some sort of security question upon logging in each time, I'm not sure what a good solution would be to fix this sort of flaw.

hattmall 1 day ago | |

We need to have an entirely different set of regulations and expectations for entities in excess of a certain size. I think 50-100 million in revenue would be a fairly reasonable starting point but even lower would be acceptable. Certainly at a billion dollars you should be able to speak to someone who can resolve or escalate any issue with in less than a working day.

CM30 1 day ago | | |

Yeah if a company is big enough that they potentially have the level of control over your life that Google or Microsoft do, then there should be ways to appeal their decisions that might not need to apply to a random startup or small business.

And we definitely need to make it clear that there's no such thing as "too big to care about customers/obey the law". If your business is 'too big' to offer any customer support, then that's your problem to fix, not an excuse for not offering it at all.

nrvn 1 day ago |

I am the one who had been using g suite before it became google workspace for more than a decade.. Last year I changed my email provider, cancelled workspace subscription and deleted the google account only to create a new one with the same email address as a normal user. Used google takeout to transfer all valuable assets out.

I lost access to literally nothing! SSO binds your email address as the primary account idenitifier in all known to me services. Does not matter what IDP you use to “sign in with”.

I find this twitter thread misleading. Unless the affected account was using @gmail.com as their primary identity.

Buy a domain and set up email on custom domain. backup emails periodically outside of the provider to be able to switch easy if needed. Same applies to other data stored in SAAS of any kind. This is the rule of thumb if the risk of losing access to tour primary IDP is critical.

Assess the risk and act accordingly.

Cpoll 1 day ago | |

> I lost access to literally nothing! SSO binds your email address as the primary account idenitifier in all known to me services.

Do you mean that you're setting up SAML/OpenID for every service you use?

> Does not matter what IDP you use to “sign in with”.

I don't understand. The service provider needs to check the identity of the IdP, or IdP-B could impersonate user alice@foo belonging to IdP-A

Jotalea 14 hours ago |

alright, i'll take your point and say that Google is not a viable SSO provider. now what?

sure i could buy a custom domain and host an email server on it, but now i have to care about server maintenance, SSL, and paying yearly for the domain. but that doesn't mean i get to keep it forever! just as Google can, the hosting provider can block my account, or even go down itself. then what? i'd be in the same situation where i'm locked out.

or suppose i don't have money to pay for the domain (which is a rare possibility, but it is not impossible). now someone buys my domain, and registers an email with the same address as mine. now what? i'm screwed!

i agree that having only one centralized login method for all of one's accounts is bad, but this article doesn't provide a safe alternative.

evanwolf 1 day ago |

Heh. Posted on X.

Alex4386 1 day ago | |

and the point of entire post was about any SSO is bad. At that point any password manager (including on-premise bitwarden, cause that is still single credential for everything) is bad, you should memorize randomly generated 64 digit password and never forget it.

martheen 1 day ago | | |

Nah, then someone can still beat it out of you. Instead encode and tattoo it to a hamster with a cage that will auto open if you haven't check in in 24 hours. When the adversary is holding you, the hamster will escape and the neighbor's cat will take care of the rest.

sitzkrieg 1 day ago |

using google in 2026 is self imposed risk

pixel_popping 1 day ago | |

I genuinely don't understand why (at least power users) users don't seem to understand this, they never "own" their account, thousand have lost everything due to a mistake, login once via anonymizing solution and so-on and bam, account ban, I've lost so much money in "crypto" (on some exchanges) because of 2-FA perma loss due to Gmail ban back in 2015, storing your business on Google and mixing-up with your personal life is just reckless at this point, it's not like people don't "know" that they can lose everything from 1 day to another, I hope this movement of moving out from Google will be much more generalized.

nubg 1 day ago |

The tweet was still written by an LLM, even though the system prompt included "only use lowercaps, making my text look like a kid in a csgo chat"

like_any_other 1 day ago | |

What makes you think so?

siliconpotato 1 day ago | | |

There's a certain writing style, very short paragraphs, fair amount of repetition that just feels like you've read this post before. And you have, just on different topics but it's always the same feel.

But also lots of negatives to start the sentence, usually with a reinforcement e.g.

your password didn't help. your 2fa didn't help. you were never asked to authenticate. you were asked to authorize. completely different mechanism