Why is Google using a (new) 2 step Gmail sign in process?

  • I am not asking about the two factor authentication process where the user needs to enter both a password and a one-time-password.

    Gmail recently (I don't know from when exactly) changed their login process which is depicted in the following screenshot:

    Screenshot of Google's login flow

    So, the new steps are as follows:

    1. Enter email
      1. Click Next
    2. Enter password
      1. Click Sign In

    as opposed to the previous and usual way of logging in:

    1. Enter email and password
      1. Click Sign In

    Isn't the new process non-user friendly requiring extra user interactions?

    Since, Google does not usually make UX blunders can you explain the reasoning behind the new process? I'm looking for details like user interaction simplicity or any other hidden advantages.

    Note: The question linked as duplicate doesn't cover the reason behind the change while Mervin Johnsingh's answer cites Google's reason.

    I wondered about this too. I know that my bank has been doing this for a long time & that makes me suspect it has got something to do with security. Not sure. I await a better explanation.

    @curious_cat yeah same with me - something is hidden behind the process so waiting for better explanation

    I think I know why my bank does it. They actually show me secret text on the second log in page that assures me that it is indeed the right page into which I am entering my password. Prevents phishing attacks where the attacker would set up a google like page and use that to steal passwords. But google doesn't seem to be showing any such secret text, So that doesn't apply here.

    @curious_cat Well now your point makes sense - phishing protection could be a strong reason. google isn't showing any secret text but it does verifies the email id for correctness before sending the user to next step.

    @curious_cat but then again - above invalid and valid email thing can be done in phishing site as well.

    @merqri though the part of ques does say about 2 step thing but the context of both the question are different

    @exexzian Does it? Well, say you were a phisher, you could set up a similar two step login page couldn't you? It only becomes secure when google throws some secret info back that only the user knows and has previously given Google securely (e.g. "My dog's name is Bruno") But in this case I don't see that info. Without that I'm not sure how the logic works. Maybe there's another aspect to this.

    @curious_cat yeah I reasoned out that later

    @MartinSchröder yeah that covers security part well. I was basically thinking it from UX point of view but after analyzing more and read your linked post as well, makes the security side well clear.. thanx mate :)

    It's worth noting that this will also prevent phishing, because when the user enters his username, he will be shown his profile picture which helps the user identify that he is on the legit site.

    @Mr.Alien thats correct. We analyzed that part.

    You know what else it will prevent? Auto-login from password managers. At least 1Password is smart enough to fill in the email in the first field and the password in the second one, but I have to manually instruct it to do that for the two fields.

    I don't like it. It seems to show my real name in the second page after entering the email address, and "my" profile picture (which seems to be taken from a Youtube video of mine), and I couldn't find a place to change that behaviour. It's nice that it prevents phishing, but it also reveals everyone my real name after inserting my email address. (for me they are the same, but for some they might not be, so now you can get the real name of [email protected] (if that would exist))

  • Mervin

    Mervin Correct answer

    6 years ago

    As per the official Google announcement, the reasoning behind this change is to try out methods which would complement new password authentication methods. To quote the post

    Today, you sign in to Google on a page that includes both the ‘email’ and ‘password’ fields on the same page. We’ll be gradually splitting those two fields into separate pages in the coming days; the sign-in process won’t change otherwise.

    As we’ve said many times, we're working towards introducing new authentication solutions that complement traditional passwords. We’ve already separated the ‘username’ and ‘password’ fields onto separate pages on a successful launch in Android last year. This change to our web sign-in page is another step in that direction.

    To help make sign-in easier and more personal, you may see a screen with your profile picture and full name when signing in to Google. We’ll only show this information if you are signing in from a location or device you’ve signed in from before, like your home computer.

    This new Google account sign-in flow will provide the following advantages:

    • Preparation for future authentication solutions that complement passwords
    • Reduced confusion among people who have multiple Google accounts
    • A better experience for SAML SSO users, such as university students or corporate users that sign in with a different identity
      provider than Google

    Now to add on to why Google might have gone with this approach other than the password augmentation mentioned in the quoted post above here are my thoughts'

    1. Consistency with the sign in interface which is currently being used while setting up android thus ensuring there are common interaction patterns as shown below

    enter image description here

    1. Establishing a singular point of focus : The single form fields enable the user to focus on a single interaction point on the screen i.e. first the login and second the password without getting distracted.

    2. It also allows them to potentially enable more personalized customization options for security such as phrases or images providing more security options as shown below (Banks use this method ). This would reduce the scope of phishing as the screen generated would be specific to the user and would vary from user to user.

    enter image description here

    I would think this also slows down any bots or humans attempting to crack it, too.

    @Mervin your each edit makes me to upvote you each time. We were discussing about this context on comments and offline with my peers here `This would reduce the scope of phishing as the screen generated would be specific to the user and would vary from user to user.`

    How does the phrase/image thing actually improve security? Surely a phishing site could ask for the username, quickly send that to the real site to get the phrase/image and then show it to the user? And wouldn't this mean effectively training users to think "showing my image = secure" when in fact anyone who knows the username can find the image/phrase?

    @codebeard As I understand it you will only see the custom login page with image and everything, when logging in from a registered Device on which you have logged in before. So a phishing site will not be able to load this image! The only way to get it would be via JavaScript Injection to load it on the users PC

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM