While this is certainly handy. I forsee lot's of problems for users typing their gmail password to autenthicate for other sites. Phishing has been around for a long time, and by using these authentication mechanisms it will only get easier.
For users it's not clear which site is legit.
This is legit:
hxxps://www.google.com/accounts/ServiceLogin?service=lso&domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS
This is not:
hxxps://www.google.com.evilsite.com/accounts/ServiceLogin?service=lso&domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS
For the avarage user, logging in means, click on the bookmark, see if a loginform pops up, log in.
Now it's go to random site, get asked for your gmail password, and type it or else 'no cookie for you'.
That being said, I have no solution for the problem.
Plus it is certainly better that what we had a few years back, wherin you gave your password to third parties to authenticate to a trusted site. (Like Gmail contacts import, twitter apps). Now at least you are authenticating on the trusted site, where you can verify the address bar.
On one hand you don't want to remember multiple passwords (on multiple sites) and on the other hand you don't want to let people authenticate from your own trusted site.
Most of the time, since you are already logged-in on Facebook google, yahoo or twitter, you will not be prompted for password, only for approval of authentication.
Chrome/IE8 actually do a reasonable job of addressing this by greying out everything but the domain in the address bar. Its something I'd like to see in FF -- if anyone knows of an add-on to do this let me know.
Well, try the demo. The google login works with a mechanism on googles servers asking you explicitly to grant access to the referring site. If the user doesn't check the address on the target ... well ... :/
I've spotted another weakness though on the facebook login. The username's are generated as facebook_$firstname, which will lead to duplicates on big sites quite fast.
I'd like to see a mechanism asking the users to chose a username.
I think this is a problem. Lot's of users just type www.example.org in the google and click the first link. they hardly know what the address bar does.
One way to look at it is: stupid user, you did it to yourself.
Another is: lots of people will be fooled, maybe we should rethink.
For users it's not clear which site is legit.
This is legit: hxxps://www.google.com/accounts/ServiceLogin?service=lso&domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS
This is not: hxxps://www.google.com.evilsite.com/accounts/ServiceLogin?service=lso&domain=Socialauth.uswaretech.net&anonSign=1&continue=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud%3Fst%3DBDKB7DbZLrOEjmE3c2kS
For the avarage user, logging in means, click on the bookmark, see if a loginform pops up, log in. Now it's go to random site, get asked for your gmail password, and type it or else 'no cookie for you'.
That being said, I have no solution for the problem.