Tap Once to Enter
Google One-Tap or Google YOLO (You Only Login Once) is a web widget that allows customers to log into any website with a single click.
The login widget appears as a popup or an integrated UI element with a prompt to sign in or sign up with your Google account when either of these conditions are true:
- you are logged into your Gmail account,
- you’ve signed into your Chrome browser.
At first glance, it’s a really convenient feature: you click the web widget and sign into a brand-new store with your existing Google account: no need to create a new user, no need to remember the email and password you used to log in before. Just one click and you are good to go.
The benefits can be massive, especially for smaller Magento stores that struggle with engagement and want to retain visitors. Customers skip a tedious register process, get a more customized shopping experience, and at the same time create more opportunities for store owners to engage with them through different marketing channels.
Does Google YOLO Mean “You Only Live Once”?
Google YOLO is an ambitious project first announced in 2015. It’s an organic development of the Google Smart Lock Passwords and its features first appeared in Android M Preview where users could log into various apps without typing in their own credentials.
Security concerns appeared inside the community extremely early into development. The announcement of the Google YOLO project encountered a lot of criticism from both alarmists and security professionals for potentially simplifying hackers’ lives, not ordinary users.
Further development and a new collaboration between Google and Dashlane let the project mature and go into the open beta in 2018.
Where Internet pessimists cried about the end of the world, online marketers cheered new and simplified login features for an anticipated increase in user engagement and potential sales growth. Turned out, the marketers were right.
Three companies reported awesome results after integrating Google One-Tap into their user experience:
- a travel planner increased their new user count twofold,
- a music streaming platform saw that now half of their users logged in with Google,
- a discount traveling platform recorded unbelievable 1200% growth in logged-in users.
Sadly, the alarmists were also correct. And in a few unexpected ways that were hard to predict, too. As you know, convenience is the direct antagonist of security. The same feature that allows you to use any device as a single point of entry enables hackers to use the web widget for malicious purposes.
It’s actually really easy to put an invisible button on top of a visible one and trick the user to click it. This technique is called clickjacking. What do hackers use it for?
Many things:
- tricking users into liking your Facebook page (the so-called organic likes farming, a nice blackhat SEO tactic),
- collecting personally identifiable information from users (Google will freely give up your actual email address, avatar, and nickname which can be linked back to you),
- tricking to give authenticating consent (you think you click a black space on a page when in fact you click a transparent moving button).
What did Google do once they got a report about this exploit? First, nothing.
Then, after the community started an uproar and pitchforks appeared in the crowd, the Google team decided to whitelist the API to a close circle of Google Partners and disable it for everyone else.
Since then, nothing has changed. Right now, in 2019 things are complicated for Google. The exploit is client-side and nontrivial to fix: the CSS and frame/iframe features that enable this behavior are inextricably bound up with the way <iframe> and web widgets work.
A Brave New World?
Right now, the Google One-Tap page states that the project API is currently closed due to improvements in cross-browser functionality. The smart lock feature is still limited to the shortlist of trusted Google Partners and nothing is going to change, at least not in the next few months.
It doesn’t mean that, eventually, Google One-Tap will not reappear as a fully capable login feature for the world’s businesses, community websites, services, and – you guessed it – Magento stores.
We hope that the bright minds at Google will find a way to mitigate the risks of using web widgets for sign-in. But if they decide to leave things as they are and ship Google YOLO anyway, here’s what you can do to build a high level of security both as a user and as a Magento store owner (get a Magento security audit btw, if you haven’t yet).
How to mitigate the risk as a Magento store owner:
- deploy X-Frame-Options HTTP response header which restricts content rendering in <frame> and <iframe> blocks,
- alternatively, use the Content-Security-Policy header to prevent clickjacking,
- make sure the web widgets you use require users to confirm the login action.
What users need to know:
- use browser profiles to avoid social media risks,
- disable third-party cookies when you browse untrustworthy sites,
- use NoScript/ClearClick if you are an advanced user.
Single Login On Tap
Google One-Tap login is a great idea that suffers from poor execution. In part, the problem lies with imperfect web browsers that can’t keep up with the richness of HTML and CSS possibilities.
In particular, most browsers:
- lack the ability to protect users from invisible buttons,
- don’t offer the option to easily disable all JavaScript code on keypress,
- can’t reveal hidden UI elements that could compromise user security,
- can’t tell if an <iframe> is visible, layered, moving, or hidden outside of the screen,
- don’t protect user input on pages with hidden risky UI elements, etc.
Partly NoScript and other security-focused extensions solve the problem with clickjacking and masked JS events. For example, ClearClick reveals obscure UI elements and prevents users from interacting with malicious buttons. But this should be standard web browser functionality that is available for anyone, not a specialized pro-level plugin.
Right now it’s the prerogative of the select few, mostly security-centered developers and power users. And until things change, it will remain this way.
If you have further interest in Magento security, check out this Magento 2 security guide we’ve put together recently.