UX Review: Google’s 2 step login
Like all login screens, Google used to have the email and password fields on the same screen. About three years ago, they decided to split this into two screens — asking for email on the first screen, and password on the next. Google did some usability research on this and has a summary a of few approaches/guidelines if one is to implement federated logins on their own service. Even though it has been three long years since this happened, I am still being given this change as an example for bad UX. In this article, I’ll try examining the consequences of this change from a few perspectives.
Throwback to the problems we had with Google accounts
Not long ago, I used multiple browsers for the multiple Gmail accounts I had. I had my primary account on Chrome, secondary account on Firefox and so on. In 2011, a new Multiple Sessions feature came along, when you could add multiple accounts on the same browser. It truly felt like magic.
Around the same time, my undergrad college migrated from their own email servers to GApps. We had to remember/bookmark a special URL to access our University email. One could not simply go to Gmail and type their school email and login, though it technically was a Gmail account.
Whilst not specific to Google, those were also the times when web security awareness among the public wasn’t the highest — So phishing was a very common and easy social engineering technique. Many a times, I’ve seen pages imitating Google popping up, trying to get my credentials.
The problems that Google invented
These are some of the problems users had with Google when that change was made:
- Problem: The main ‘UX blunder’ that was talked about was that users now had to enter their email first and click on ‘next’ to enter their password. Clicking on the ‘next’ button was thus seen as an unnecessary intermediate step. This 2 step process clearly did not go down well among certain groups.
Clarification: Users previously had to hit tab or use the mouse to get to the password field. You can still get there in one step by hitting Enter. In my opinion, the number of interactions has still remained the same while improving the experience.
- Problem: Google was accused of leaked users’ identity. After entering the email address, Google shows the name and picture associated with the account, which was a matter of concern.
Clarification: It must be noted that this is done only on trusted, previously logged in devices. In my view, this probably mitigates phishing attacks as websites trying to masquerade Google wouldn’t show information associated with the account. It might make users double check the URL for authenticity.
- Problem: Because Google now checks whether accounts exist before proceeding to the password step, it is easy to check whether a particular email exists or not — for both personal and organizational addresses. The nature of organizational emails is temporary — they are deactivated once a student leaves the school or when an employee quits the company. Thus, sending an email to an existing org email will most definitely reach an active inbox. It is also a way to check whether a person is enrolled in school or currently affiliated with an organization. But why am I even talking about it here? Because user privacy is a UX problem.
Clarification: [None]. I feel this is an important security lapse that still exists. Also, getting hold of one or two of such organizational emails can easily help enumerate the accounts. For instance, my school followed the pattern <first initial><up to first 5 characters of last name><number in ascending order>@uic.edu. One can easily check and make a list of all accounts present by just brute force.
- Problem: Some GApps still require you to sign out and sign in with a different account like opening a shared link on Google Drive.
Clarification: [None]. This seems to be some kind of architectural problem. No real UX solutions or explanations here.
The problems that Google solved
Going back to the part where I had mentioned about remembering a URL to sign into GApps, Google seems to have taken stock of the problem and identified it as something they could solve.
During a study (unrelated to this) conducted while pursuing my master’s about two years ago, I found that all the students went straight to Gmail.com to sign into the school email. I was probably one of the very few who actually went to gmail.uic.edu every time. Students and corporate GApps users now login from the gmail.com domain irrespective of their organization (now probably assumed that it just works that way). Users also use their personal and organizational emails side by side (which doesn’t sound like rocket science anymore).
Google somehow intelligently knows the organizational sign in pages and takes you straight to them on entering your email. When I first saw this, I thought it was kinda cool.
For personal Gmail accounts, the sign in screens now seem to be consistent with Android and also establishes a single point of focus, i.e. you can perform only one action at a time such as either entering your email or entering your password.
Behind the scenes
With this change, there also seems to be something which is more than it meets the eye. Have you noticed that even after logging out of Gmail, Google still remembers your username, and shows you your name and picture? This is enabled via a special cookie and it gives the ease of just entering your password to login. Although this is a clever disguise in the name of convenience, Google uses this to follow and track you as you go about browsing the web.
While the partial logout is designed as a convenience for the user, one could argue that this is a dark UX pattern. It may be deliberately designed as an inconvenience, as it takes many more interactions to completely log out. One needs to click on ‘remove an account’, and the alert box while removing the account makes you feel like you’re performing a negative action. It goes without mentioning that it takes 2 more screens to log back in. Users would simply favor ease of use over privacy, without even knowing what they’re giving up.
I’d also like to take a moment here to mention a recent criticism that Google faced over silently logging users into Chrome while signing into any of Google’s apps. The browser account now signs in without users’ permission and syncs all the data. Despite the fact that this feature can now be disabled in the latest update, it still syncs all the data by default unless the user goes and turns it off manually.
Some of the changes that Google has made regarding its sign in features have been very positive and made life easier, albeit at the price of privacy and security. Going by the number of data breaches this year, I think Google should fix its glaring security flaw. Nevertheless, thanks to all the UX improvements, it feels really great to watch my grandma go to Youtube and use it all by herself. Also, I consider the growing awareness about online privacy and security a promising sign for businesses to adopt better usability while not compromising on users’ data.
If you enjoyed reading this piece, leave some 👏
Do share your thoughts and suggestions in the 💬 section.
Other recommended articles by Gautam Krishnan:
- The purpose of UX: you don’t know what you don’t know
- UX Review: Skype for Business
- UX Review: Enabling Twitter mobile notifications