Sign in with Google? (Premium)

My recent YouTube “support” experience was eye-opening. I take what I believe to be reasonable steps to protect my online identities. And none are as important as the one that’s tied to the YouTube channel I almost lost because of Google’s incompetence. So I can’t say I learned anything per se, it’s not like I could have done something better that might have prevented this. Instead, this episode undermined my trust of Google, perhaps irreparably. And this has me questioning everything.

Of course, “everything” is a big topic. So I will focus here on a single question, one we’ve not really discussed before. It’s tied to a feature called Sign in with Google. And I’m not sure whether it’s smart to use it.

That may be the most important point I can make. I’m not sure. But I’m trying to find out. And I’m curious what others think about this.

First, a bit of context.

Online accounts are unavoidable. Everyone reading this probably has hundreds of online accounts, including many they’ve forgotten about. But some online accounts are more important than others. Some online accounts are online identities that store or provide access to private data, payment methods, and other sensitive information. For example, Amazon, Apple, Google, and Microsoft accounts.

These are all important, and they need to be secured properly. They often aren’t, of course, because many people choose convenience over security. But in my case, I do what I can. I use various forms of multifactor authentication with all of them, preferably passkeys or some other passwordless authentication type.

Google is semi-unique in this space, however, because of the pervasive nature of Sign in with Google. Yes, it’s possible in some cases to sign in to third-party sites and services with an Amazon, Apple, or Microsoft account. But Google is far more common. It’s all over the web.

And for all my research and learning about security best practices, I’m human, and can be lazy, and I often select the “Sign in with Google” option when it comes to accessing some third-party site or service, especially if it’s something new. In my defense, my Google account is well-secured, so I’m balancing my laziness with the understanding that the passkey authentication I use is solid.

But there is a less well-understood benefit to my Google account that many do not share. My (primary) Google account is part of a custom domain, Thurrott.com, that I manage with a paid Google Workspace subscription. So I “own” the email address in the sense that I could recreate it elsewhere if I needed or wanted to. You can’t do that with a (your-name at) gmail.com account. If Google pulls the plug on that, it’s over.

Owning the domain is good for my identity, but it doesn’t solve all the problems such a change might create. For example, I sign in to whatever number of third-party sites and services using Sign in with Google. If I were forced to move Thurrott.com to some other identity service, what would happen to all those Sign in with Google sign-ins? Would I eventually lose them? Would I also lose access to third-party services?

Think about your own Google account. If it’s a free Gmail consumer account and you use it to sign in to third-party sites and services, what would happen if Google pulled the plug on your account? Do you have any idea how often you use this feature? I bet you don’t. I certainly didn’t.

So I looked.

To do so yourself, navigate to the Google Account website, sign-in/authenticate as needed, and go to Data & privacy. Then, under “Data from apps and services you use,” click “Third-party apps & services | Keep track of your connections with third-party apps and services.” And on this page, you will discover how many third-party apps and services you’re signing in to with your Google account.

For me, this number was close to 80. It’s 74 as I write this because I’ve been checking key accounts to see whether I can get in to them without using my Google account. And the experience is a bit different with each.

I think I want to remove all of these connections. This will take a while, as I need to make sure that I can sign in to each third-party service without using my Google account.

For some accounts, this is easy enough: I bring up the site and see whether my password manager has an associated account, with an email address, password, and/or passkey. If it does, the Google account sign-in is not necessary, so I can remove it.

Other accounts, however, will require some work. For example, I knew that I had opened my gog.com account long ago and so it almost certainly had an associated password. But that account wasn’t in my password manager. So I clicked “Password reset” in the gog.com log-in box, entered my email address, worked through an annoying captcha, and asked them to send me a reset password link. Because I have access to my email–Google hasn’t taken that away without warning, at least not yet–I could get the link and create a new password. I used my password manager to generate a strong, unique password. And then I signed in to the site, which uses an email-based 2FA mechanism as well. And that’s the only option: I would prefer to use a passkey or authenticator app, but it’s better than nothing.

That took maybe 5 minutes. But multiply that by 80 and … yeah.

Also, if your Google account is a Gmail account, this process is still fraught with potential danger. If you lose that account, signing in with an email address/password combo may still work, but if the service uses an email-based 2FA authentication scheme, as gog.com requires, you’re stuck: You can’t access the email to authenticate yourself. This is essentially what happened to me with my YouTube channel, so you can see why it’s suddenly on my mind.

Granted, the chance of losing an online account is likely small. But many people have multiple accounts. I do. And while my personal Gmail account isn’t used for many third-party sign-ins, that might not be the case for you. 

So I ask you. Is this a concern?

There’s a lot of nuance here. If you do have a custom domain (not .gmail.com), the risk seems lower: If disaster strikes, you can move your email address and gain access to email so you can authenticate. If you are using Sign in with Google and ensure that you can access a particular service using a “normal” sign-in (email address, password, and/or 2FA/passwordless authentication), do you even have to remove the Sign-in with Google association? Does it matter?

This might be viewed as part of a bigger evaluation of one’s relationship with Big Tech in general, I suppose. If the goal is to untangle yourself as much as possible from Big Tech’s web of dependencies, and that feels like a valid goal, then removing these connections feels reasonable. Or maybe not: Every standalone online account–which is what each of these third-party services is–is another vector for hackers to attack. One might argue that creating new account/password pairs is growing your attack surface. Yes, you will protect these accounts with a password manager, and, yes, you will use whatever 2FA/passwordless authentication options each offers. But still.

So there you go. I don’t have an answer to any of this. I’m still working through it. So let me know what you think. Is this worth worrying about?