Logging in is annoying and slows you down. My job these days is mostly about reducing that pain, ideally to zero by eliminating it. Google really wants this to happen; here are two reasons why, one general and one specific.
In general, we’d like everyone to spend lots of time online. Less logging in improves the experience, so there you go; not rocket science.
But let’s be more specific: Suppose we give you a browser and offer you a challenge like “What’s a good mountain bike?” or “Find a doctor for your kid”.
In this situation, Google really wants you to type things like “good mountain bike” or “Knoxville pediatrician” into the search box. Then we get to do our best job of sending you off to the right bicycle or doctor (we put billions into this) and at the same time show maximally useful ads (billions into that too, but we get paid for it). What could be simpler?
More often than you’d think, people don’t; they click in the address bar and type in the URL of a big bookstore or Somebody’sList, as a first step on their search. When we ask why, surprisingly they often say ”Oh, if I found something good on a random site out there I’d have to log in, and either remember my stupid password or fight through the stupid sign-up page.” The numbers are probably secret, but they’re very significant.
So if logging in gets simpler (or vanishes) we win and you win. It’s that simple. Have I mentioned lately that I have a cool job?
Comment feed for ongoing:
From: Dave Walker (Sep 17 2012, at 09:14)
Spot on. Having to sign up for accounts is a definite dissuader to using a service - *especially* when the service has ill-considered rules about what it considers to be "password strength" or imposes character set limitations on a password without advertising the fact.
It gets even more significant in a multilevel / cross-domain security world, where "logging in" at the start of a brand new session involves logging into a session at *every security domain within your clearance range*. For someone involved in managing logistics across a coalition operation, say, that's going to be *painful*.
There's ways round it, naturally; the trick is being able to do multi-domain SSO with a different user credential per security domain, and with a state machine involving nothing coming up to system high from any of the security domains involved, such that domain security controllers and accreditors might be able to declare themselves happy with it.
It's actually feasible :-).
From: Sam (Sep 17 2012, at 12:21)
But, you would prompt me with a Google+ agreement or login page - so, typing in search box is actually more dangerous than navigating directly to the URL.
Google+ is bad and makes Google products less useful - if you have any say in it, stop that evil.
From: tom jones (Sep 17 2012, at 13:07)
i'm all for better logging solutions, but i don't think the world needs yet another proprietary "log in with face^H^H^H^H google" system.
no matter how much better it is, it will never be adopted by other big players (apple, microsoft, facebook, amazon) if it is viewed as "google's solution".
you should try to work with Mozilla's Persona (BrowserID), as it's coming from a (seemingly) neutral party that's only aligned with the success of the web itself, and not one big company..
From: Henry Story (Sep 17 2012, at 14:14)
There is a simple Idnentification protocol that standards based, extreemly simple, secure, efficient, without patents, and that is only waiting for some larger players to pick up to go somewhere: this is the WebID protocol detailed at the w3c at http://webid.info/spec/ and http://webid.info/
Because it bases itself simply on the best standards:
- Linked Data
with huge momentum behind them, it gains from all the improvements that they are undergoing such as SPDY (HTTP + TLS), DANE ( DNSSEC + public keys to reduce the CA bottleneck ), LinkedData ( format agnostic hyperdata ).
To post this I had to fill in a silly quiz. With WebID you could have found out my social network, and known that I know many of your friends, and so you get spam filters for free to.
It invents nothing new in fact this protocol. It is just a form of paradigm shift. So it will require a bit of evangelisation.
From: Don Marti (Sep 17 2012, at 15:25)
+1 Insightful on the tom jones comment.
Mozilla's "Persona" works great for me even without support in the browser and the email service. As those get built out, it looks as if it's going to work even more smoothly. Would be nice to see support for this in Gmail and Chrome.
(I don't want to write anything with passwords any more, since users are likely to just pick the same weak password that they use on example.com, and when example.com gets pwned, I have a security problem. "Did you know that people are really bad at memorizing strings of characters?" "I know, let's make our security system depend on making people memorize strings of characters!")
From: Alex Waterhouse-Hayward (Sep 17 2012, at 19:41)
I am going to go to Mexico in October to visit friends because the lack of face to face communication in Vancouver is getting me uptight. I particiapte in Twitter and facebook so I can spy on trends and see how people react, think and run their lives. Of late I have been telling the story on how I ran into to you at Safeway: "How are you Alex? No, I don't need to ask I read your blog." So people do not call and having coffee with anybody is not an unrealistic thing. So you dislike logging in? You would have more time to do other things if you didn't have to log in? I believe that many of us want to do stuff more quickly and more easily so that in the end we have more time to do nothing.
From: Manuel Lemos (Sep 17 2012, at 20:11)
Your article is a bit ironic given that you are a Googler. Let me explain.
Most sites that need some kind of registration require that the user validates the supplied e-mail address.
Great part of the users use Gmail accounts. The problem is that Gmail is a growing e-mail blackhole. Many messages sent to Gmail account are lost, even when they are sent from Google people or even other Gmail accounts. Gmail simple makes the messages disappear. They do not even go to the spam folder. They are gone forever and the users are never able to complete the registration process.
Loosing e-mail is bad. It is even worse when companies are paying Google to host e-mail accounts in Google apps.
To make it worse, Google invented something that aggravates the problem, the so called priority inbox. It is supposed to be smart, except that it isn't as it is not able to figure that a account confirmation message should be considered priority. So, whoever uses Gmail priority inbox will very often miss the registration confirmation messages and it in
creases the user frustration.
Ideally, Web sites should allow users to register using other sites accounts like Facebook, Gmail, etc.. via OAuth or OpenID, as it would avoid the need to validate e-mail addresses, but usually these technologies are a pain to implement for developers, so many sites do not use it.
So what could Google do to improve these things on their end? Not losing or hiding registration confirmation messages would be a good start. Apparently spam messages should go to spam folders, instead of being bounced or lost forever.
From: Ricardo Fernandes (Sep 17 2012, at 20:14)
I've been developing single sign on for a while for corporate. I do use LastPass password reminder on "the cloud" so I don't have to login every time. Why don't you guys partner with them? I'd love to use my 2 step verification from google in order to access my passwords vault on any machine on the cloud
From: Prashant Pathak (Sep 17 2012, at 20:33)
No login would be great.
But then wouldn't the greatest feature of internet, anonymity take a hit?
From: est (Sep 17 2012, at 22:43)
I like Google, but I really, really hate the link-hijack on search results page. It's more annoying than require login. Because google.com/url?sa= is slow as f***
From: Enigma Obfuscate (Sep 17 2012, at 23:44)
Why stop with just doing away with logins? Why not also stop providing an address or credit card info for similar reasons? Why must all of that data be duplicated and stored at every site we use on the net? ;)
From: Bob (Sep 18 2012, at 03:24)
I hope this day will come eventually!!
From: Hugo (Sep 18 2012, at 05:46)
Google should buy Lastpass (they already use Google Authenticator) and give their interface a Google makeover. It works now but the interface is too cluttered.
From: J (Sep 18 2012, at 07:14)
Good luck. I've been working in IT almost as long as you, and all that time people have been promising this, first on internal networks (still hasn't happened), then on the net (happened even less).
Microsoft, for example, wanted everyone to use their Passport system - after all, we all had hotmail accounts. OpenID and/or OAuth are the less corporate option.
But to be a success, something like this would have to be ubiquitous and trusted. It could happen, but I'm not holding my breath.
From: your mom (Sep 18 2012, at 15:32)
Hear hear! The security of my online identity is not worth seconds per day!
From: John McN Roe (Sep 18 2012, at 17:18)
Great that you wanna change the login. Hmmm I think you allready did it with the anti-spam question.
What I would like is that Google makes Chrome smart enough, that it recognizes the display setting of an device (computer/phone/tab) this way developer no longer have to spend time on making different versions of stuff. Yeah I know this is not really your department. But could you pass it on.
From: Vic (Sep 19 2012, at 03:18)
By any chance, could you be referring to the patent granted yesterday (to Google, of course)? http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=8,271,894.PN.&OS=PN/8,271,894&RS=PN/8,271,894
It apparently seeks to link all online personae to an individual's 'real' identity (whatever that is), to be held by 'don't-be-evil' Google (well, naturally), which selfless purpose could not conceivably be monetised, except that this blogpost discusses precisely such a plan.
From: stelt (Sep 19 2012, at 06:35)
Obviously it's not only about using services, it's also about improving them.
If I can make improvements (wiki style) a "create account first" pushes me away.
Give me a cursor right there would be even better, it would make me fix many typos
From: len (Sep 20 2012, at 06:22)
"...that gets these companies out of the regulator's pocket. It gives them a white hat, because they explicitly asked you if you wanted to op in, and it lets them make money, which is what they desperately want. And it appears that if you treat people's data in this sort of responsible manner, people will willingly share their data. It is a win-win-win solution to the privacy problem, and it's the companies that grew up in an unregulated environment, or the companies that are in gray markets that are likely to dry up, that are most strongly opposed.
We are beginning to see is services that leverage personal data in this sort of respectful manner. Services such as really personal recommendations, identity certification without passwords, and personal public services for transportation, health, and so forth. All these areas are undergoing tectonic changes, and the more that we can use specific data about specific people, the better we can make the system work.
It's all about respect. And then it isn't. There can come a time when the data you respectfully submit is expected because it is part of the societal control systems, a governance of feedback-mediation which if you fail to submit to causes defaults in services. You are not invisible because you still consume resources. You are hunted like a parasite, a moocher, to quote a recent speech maker.
From: Jeffrey Goldberg (Sep 20 2012, at 10:17)
[Disclosure: I work for AgileBits, the makers of 1Password, a password management]
I'm wondering if the sort of solution you are looking at is in the direction of a password manager or a single sign on solution? (or, less likely, client certificates).
All three approaches have their advantages and disadvantages.
The advantages password management systems is that they work today and that all of the login and usage data is completely under the users control. The disadvantage is keeping up with site and password changes, and making sure that the password manager works for all browsers and services that people need.
The advantages of SSO is that it requires no set-up or software for the user. They can "sign on with Facebook" or whatever. The main disadvantages are wrt to privacy. The SSO service knows when you've logged into some third party site.
The advantages of client certificates are numerous. The disadvantages are the enormous barriers to getting a user trusted and trustworthy certification system in place.
15 years ago, I was predicting that client certificates would be the solution. I entirely misunderestimated that practical difficulties in the PKI needed. But I still see password managers and SSO as "temporary" fixes. But these temporary fixes may remain around for a while.
From: Dogen (Sep 22 2012, at 15:10)
I don't want to be signed on to web sites without hassle.
When I sign on to a web site I have a chance to know they are gathering my information, so I only do it when I really want to, and I have a chance of reading a site's policies on what they'll do with my data.
Now if you're going to allow login without passing most of my data along then the sites won't like it because they want to gather as much data as possible.
However, if you enforce a set of policies that are reasonable, ie non-evil, that could be a real plus. But some sites might not like it.
From: christopher mahan (Sep 25 2012, at 19:30)
Uh, no way!
I don't like logging in because I don't like being logged-in!
I browse the web simply, from many devices: home pc, work pc, laptop, smartphone, cr-48 (yes, it still works) and from lynx from my debian vpses.
Lynx from vps you ask? You must not be one of our core users. You fringe, unixy type.
Some of them know me in google, some dont. Can't be logged in to google from work. They don't allow it. The proxy server refuses anything with plus.google.com and such.
I don't want google, or any other company for that matter, to be required for getting on the web.
Ultimately, the web is http requests to ip addresses, with DNS for convenience. The browsers are just rendering devices.
How do I sync bookmarks? I write them down in a $6 wallet sized notebook from target. See https://www.crgibson.com/Ruled-Paper-Black-Bonded-Leather-Journal-Small-12213334
Sometimes, I email myself the link, but lynx can't open gmail, so I use the notebook for that.
Finally, the one thing I absolutely detest on search engines is personalized results. I search, find the info, then tell the guy on the phone: here, search this using this search engine, and look at the fifth result. I want my result and his result to be the same. now, I have to send them the url via email because there's no way to replicate the exact same search in his browser. You would be surprised how many people use me as their goto person for finding stuff on the web (I had one at work 1 hour ago).
All this to say: make the ad relevant to the content of the page. The page is what we went to see, because it had content that was relevant to our interest.
Sorry about getting all ranty.