Bitcoin website operators: please consider using Google sign-in

[phatsphere]

… but the VAST majority of users will see Google logos and enter their information into the boxes.

well, from my point of view, you never ever have to do this via that system. first of all, you only have to enter your account info if you are on a google page (URL in the browser!) and not on *their* page. second, those users who are careless, enter their gmail email address and their gmail password when creating a new account anyways. so, yes, there are phishing sites, but they are there anyways and in all other "normal" cases, this system is better.
the only reasons for not using this, as a user, is if you have a general aversion of anything by google.
in my person opinion, there should be more standard compliant identity providers from which you can choose from (just like it is with open id right now) and site specific accounts should be a thing from the past. of course, this has a large drawback … those identity providers can correlate you with the sites you visit and deduce some information. google for example states, that they don't do this ,but it would be possible … e.g. adwords would certainly profit from better classifying an account holder.

[1714823483]

1714823483

[1714823483]

1714823483

[Mike Hearn]

Phishing works very well for all kinds of websites though, no training required - at least we have various protections against it, most of which unfortunately I can't talk about. Obviously the risk analysis/id verification quiz is one.

nikkisnowe, we benefit in a bunch of ways. Most obviously from people valuing their Google accounts. The more valuable it is to you, the more likely you are to be signed in with it, and that means we can upsell you on various random services we offer more easily, and if you opted in to ad personalization we can also show you better ads, which makes more money, etc.

Also, Googles whole business is predicated on the internet and "cloud stuff" being successful and credible. When users read about websites getting hacked every week, that damages the credibility of the entire internet and reduces peoples trust in all technology. So having websites outsource their auth systems to us means that those sites can be a lot more secure, which helps build trust and increase internet usage. That by itself is a good enough reason to do it (same reason we develop Chrome, no direct benefit but if the web is better, all our other businesses benefit).

[2112]

And guys, remeber: the safest place to store the keys to your house is at the police precint. It saves the police the expense of getting a warrant when they will need to serve and protect you.

Anyone has any links to what Google does when they get a subpoena for the login credentials? The police must love OpenID.

[nikkisnowe]

I'm just playing devils advocate by my recent post.  I do think that Google's strategy is correct: what's good for the internet is good for Google.  Of course you had to have realized that questions like Hazeks were going to come up when you are promoting a form of centralized control on a forum where Decentralization is the core concern of many of the users.  Kudos and credit to you for taking on that challenge.

[ShireSilver]

A friend of mine who I respect just posted this
http://labs.newsint.co.uk/blog/2012/10/why-mozilla-persona-is-the-right-answer-to-the-question-of-identity/

Why do we need another identity system?

Let’s outline some of the issues with OpenID and oAuth:

OpenID uses URLs as identities.
While fundamentally this is a good idea, it can be confusing for users and therefore results in bizarre login systems that ask you to ‘choose a service to login with’ such as Google, LiveJournal, etc. when you’re not really logging in with them at all.
Most sites would like at least an email address to be able to contact you, so will almost always require an additional step after logging in for the first time.
OpenID is a jarring login process; you have to completely leave the site you are on and return after authenticating with a third-party. The same can be said for oAuth (though some oAuth implementations allow single-click sign on processes such as Twitter).
oAuth is complicated for developers to implement, requiring the storage and management of tokens. There are also several versions of the protocol, and sometimes extra authentication cruft on top (for example Google’s refresh tokens).
Both OpenID and oAuth allow your identity provider (be it Google, Facebook, Twitter) to track every website you sign in to.

[Mike Hearn]

Those are all valid criticisms of the old versions of these protocols, which is why it's 2013 and we're still releasing new versions of "how to log in via a third party". The new OAuth2/OpenID Connect stuff is a lot easier to use than the previous OAuth1/OpenID "classic".

[hazek]

While I don't agree with a lot of Hazek's viewpoints on other issues (block size) I do agree with him here.  What is Google's angle on this?  Nobody does anything for free and if it may appear to be free now, there is some potential value to this in the future.  I have a site dedicated to bitcoin with a user login and will look into it.  Still, I have a hard time believing that Google develops anything without a strategy behind it.   The "do no evil" days are over.

The strategy is to get as much integration and dependance as possible and have as many google signups as possible and with it influence and market share. If you implement their login infrastructure, your users automatically have to become their users. Pretty simple math.

Btw I'm not saying using their infrastructure isn't viable or will automatically harm you in some way, I'm just complaining about Mike saying that the use is free. It's not. It's gratis and I think the distinction is important.

[Mike Hearn]

I'd note that you can run your own system and third-party login systems in parallel. For google signins you just leave the password column in your database blank. Of course then you're not saving as much work, but for instance if you have 1000 users and 900 of them use a third party auth service, maybe it's feasible to do password recovery requests by hand instead of writing your own code for it, whereas it wouldn't be if 1000 users were forgetting their passwords. So it can still save you time overall.

[RodeoX]

I do understand what Mike is saying, however, what about those of us who don't want a google ID? For all I know google will be seen as the most draconian and destructive force ever created by humanity in 10 years.  I would not want them to ID me then. In fact the future of the internet for me is centered on anonymity. I doubt i will use the internet much at all compared to the TOR network.

[playtin]

It is actually very easy to use both, Google and Persona, on a single website. That way users can decide which one does fit them better.

A friend of mine who I respect just posted this
http://labs.newsint.co.uk/blog/2012/10/why-mozilla-persona-is-the-right-answer-to-the-question-of-identity/

Why do we need another identity system?

Let’s outline some of the issues with OpenID and oAuth:

OpenID uses URLs as identities.
While fundamentally this is a good idea, it can be confusing for users and therefore results in bizarre login systems that ask you to ‘choose a service to login with’ such as Google, LiveJournal, etc. when you’re not really logging in with them at all.
Most sites would like at least an email address to be able to contact you, so will almost always require an additional step after logging in for the first time.
OpenID is a jarring login process; you have to completely leave the site you are on and return after authenticating with a third-party. The same can be said for oAuth (though some oAuth implementations allow single-click sign on processes such as Twitter).
oAuth is complicated for developers to implement, requiring the storage and management of tokens. There are also several versions of the protocol, and sometimes extra authentication cruft on top (for example Google’s refresh tokens).
Both OpenID and oAuth allow your identity provider (be it Google, Facebook, Twitter) to track every website you sign in to.

[phatsphere]

In fact the future of the internet for me is centered on anonymity.

well, for you, but for >99% it will be centered around identity and associated services. that's what google has in its vision because from their POV it will happen. and there isn't much doubt about that at all.

besides that, the word "open" in openID implies that anyone can start creating and promoting it's own identity provider. it's just that google has already invested a lot into such a service and newcomers have a hard time to catch up with their advantage -- purely technical speaking.
generally speaking, if all actions taken yield to a situation, where there are more possibilities, it is overall better … and that's what's happening here. (heinz v. foerster)

[jgarzik]

I do understand what Mike is saying, however, what about those of us who don't want a google ID? For all I know google will be seen as the most draconian and destructive force ever created by humanity in 10 years.  I would not want them to ID me then. In fact the future of the internet for me is centered on anonymity. I doubt i will use the internet much at all compared to the TOR network.

That is the reason for open standards.  If you support Google logins in this way, it is easy to support other OAuth-like providers who are not named Google. 

From a bitcoin website operator's standpoint, the biggest concern is not privacy, but giving a single entity a big fat "off switch" to your website.  If Google decides you are malicious (unlikely) or receives a court order, 100% of the Google-login-based users cannot access your website.

This problem is a general problem of interfacing with any large, 3rd party account system, and is not specific to Google.  As long as you have account recovery procedures in place, creating a contingency for en masse account blocking, I would definitely endorse Mike's points here.

[Mike Hearn]

If you're worried about that (it would be largely unprecedented), ask for users email addresses so you can email them with a password setup link.

[RodeoX]

Thanks for the replies guys. It looks like theres a bit more to it than I know. I guess I'm just becoming increasingly skeptical of Google. Their motto is "do no evil". But then they go out and cooperate with the Chinese government to limit free speech and help enforce anti-freedom efforts. I just don't trust Google any more. 

[Mike Hearn]

You know that Google stopped operating filtered search in China years ago, right?

   http://googleblog.blogspot.ch/2010/01/new-approach-to-china.html

[URSAY]

Mike...

How would this implementation benefit Google?

Thanks. 

[RodeoX]

You know that Google stopped operating filtered search in China years ago, right?

   http://googleblog.blogspot.ch/2010/01/new-approach-to-china.html

yes, but they only seemed to really back-off once they were the specific target of the Chinese. Not exactly an act of courage. I don't mean to just blame them either. Cisco makes special routers that keep the "great firewall of China" operational, and there are many others who are complicit.
Eventually they will come home crying when their servers are bled dry by government backed thieves who will vacuum up years of product development and research. I don't know when we forgot that China is a cruel and brutal totalitarian regime. We should be destroying their wall and placing the news of the world in front of their citizens.
Remember this guy?
 

This image is virtually unknown in China. That's what suppressing the truth is all about.

[Elwar]

I am working on a website and while the idea of handing off the authorization portion to a third party seems tempting I can think of two things that would hold me back.

One, I am giving away a portion of my site's security to a third party with only the hope that they will not abuse it. I may as well have all BTC transactions handled by MtGox and content controlled by Wikipedia. While I do not believe Google's business model would last if they abused the access of websites, I still do not like the idea of handing such control over to someone else.

Second, as a user I tend to avoid sites or apps that require access to my Facebook or other accounts. I may trust Facebook or Google to keep my information secure and private but I do not trust XYZ site to use that information the way I originally intended.

I may consider giving users options of security. With the highest security being the use of their private key to sign something for each login and perhaps the lowest being a Google or other third party auth.

[bullioner]

I am working on a website and while the idea of handing off the authorization portion to a third party seems tempting I can think of two things that would hold me back.

You probably mean authentication.  Authentication is about who someone is.  Authorization is about what people are authorized to do.  Access control is what you do when you apply the authorization rules in your systems.  Thus the access control normally requires authentication to work.  The part that this thread is about is authentication.

[Peter Todd]

I'd suggest website operators take a third approach: support Google Authenticator, or to be exact, RFC 6238 time-based one-time passwords. Basically under the hood it uses a secret key, which is cryptographically hashed with the current time, and that creates a secondary password. For your users they just install the Google Authenticator app on their smart phone, use the camera to scan a special QR code containing the secret key, and from then on after enter the 6 digit one time password every time they login in addition to their normal password. Blockchain.info and many other Bitcoin sites already use it, not to mention non-Bitcoin sites. You do need a smartphone, but they're pretty common these days. Unless hackers get your users password and their phone, they can't do anything.

Unlike Mike's suggestion of using Google sign-in, RFC 6238 doesn't send any information what-so-ever to third parties. Not when you login, or even that you are using Google Authenticator at all. For non-Bitcoin sites, I can see why Google sign-in could make a lot of sense - if you use Google analytics Google already knows when your users sign in anyway - but Bitcoin is a target and you really don't want to be one court-order away from suddenly finding that none of your customers can login. Google has a better track record than most of fighting court orders, but because they're infrastructure and employees are spread out across the world in most countries they have no choice but to follow court orders. For instance Google has an office in Argentina, and I could easily see a court order to force Google to block sign-ins to Bitcoin exchanges pushed through under the guise of enforcing that countries capital controls. Equally I can easily imagine Google getting a court order by the Argentinian government forcing them to reveal all the Google sign-in's made in that country in an attempt to identify and prosecute people violating those same capital controls. Your website wouldn't even have to be based in Argentina for any of this to happen.

Mike has a point about Google sign-in being "one strong basket", but court orders can do things no attacker ever could, and if your risk is court orders, centralization is the last thing you need.