What's confusing is having a zillion usernames and passwords for every site on the internet, and "doing it right" (which only a tiny percentage do) requires installing password manager extensions in your browser. In practice billions of users use the same insecure password everywhere including their banks.
You may or may not like the implications of centralizing authentication to a few players, but it is a massive improvement in security and usability over what we have now.
I am quite happy with this change, and hope to see "log into chrome" as the equivalent of "log into all websites that use google auth". It will simplify not only my own life, but all of my customers' lives (my B2B SaaS service uses Google auth).
Logging into your browser is not the same as logging into all the sites you use. And you certainly don't need browser login to enable it - just use OAuth. This is a solved problem.
I suggest you try spending a few hours in my support channels.
The problem is that users are confused by the fact that "logging into your browser is not the same as logging into all the sites you use". You can literally sign into chrome with one google account and then sign into google with a totally different google account. Futhermore chrome has different "people" (browsing profiles) which confuses them even more; there's three different things that look vaguely like identity here.
You think this is just fine, Mr. Oauth, but I guarantee you it's a giant mess for the 99.9% of humans who have no idea what oauth is.
Chrome usability would be significantly improved by collapsing "logged into chrome" and "logged into google" into a single thing.
It seems to me like you provided no arguments how is login-into-browser feature clarifying things. You even mentioned people being _confused_ about it.
People don't need to understand oauth to use it.
(and before you pull that one again - I am supporting technically-illiterate people quite often)
It would be a world of simplicity if I logged into the browser with my google account, a little picture of myself showed in the top right corner of the browser chrome (instead of in various places in different apps), and that identity is what was used for per-app Google auth.
I should also mention, there's another place it gets used - in Chrome extensions. That should use the same identity.
Google login then becomes one reasonable choice for "log into the internet". Right now it's too fractured to be a coherent identity.
> I should also mention, there's another place it gets used - in Chrome extensions. That should use the same identity.
That's actually good use case for the browser login feature. (when one is using some google-acc-connected extension)
But for ordinary users I don't think this solution would work flawlessly, because it is different than ones before (and users learn new things slowly).
However if that would be the actual implementation (force logging everywhere into the same acc) I agree it would be simpler for end-users. But it is not, therefore original point (browser login is confusing people) still stands. And therefore teaching users to rely on it does not seem like a good idea.
I realized that Chrome now (M69) forces the forced-logging-in solution (not sure, cannot test atm). Then my post is mostly moot (can't edit already), and for simple-users is this change probably good.
People don't need to know what OAuth is to use it. I've built and provided support for a site used by thousands of adults and even children! They rarely had problems understanding OAuth. So, maybe make a better argument than "you just don't have experience with support".
> What's confusing is having a zillion usernames and passwords for every site on the internet, and "doing it right" (which only a tiny percentage do) requires installing password manager extensions in your browser. In practice billions of users use the same insecure password everywhere including their banks.
That should be OS level. The fact that the OS does not provide good, lightweight ways for mortal users to whip up additional user-accounts for guests and family-members without breaking a lot of things should not mean that Google makes their own into the browser and adds yet-another-layer-of-login.
I log into things from my apple laptop, my android phone, and occasionally from a chromebook I have lying around. Credentials shouldn't be tied to one OS or one OS maker. I'm happier with authentication baked into Chrome, which straddles all three.
Rubbish.
What's confusing is having a zillion usernames and passwords for every site on the internet, and "doing it right" (which only a tiny percentage do) requires installing password manager extensions in your browser. In practice billions of users use the same insecure password everywhere including their banks.
You may or may not like the implications of centralizing authentication to a few players, but it is a massive improvement in security and usability over what we have now.
I am quite happy with this change, and hope to see "log into chrome" as the equivalent of "log into all websites that use google auth". It will simplify not only my own life, but all of my customers' lives (my B2B SaaS service uses Google auth).