Gmail login a step backwards for security?

I have been using Gmail for one of my email accounts since Gmail was in beta. Unlike some people I do not totally rely on Gmail entirely for my email. I do not like putting all my eggs in one basket for any services. 

Gmail new sign-in screen new is not always better

Google always trumpets their security improvements to protect their end users from malware and phishing attacks. Over the past weeks whenever I logged into Gmail I would see the following note

Gmail login screen with note regarding new sign-in screen

The note says “New Look coming soon. We are making it faster and easier to sign into your Google account” It also has a Learn More link which gives you the following information:

Explanation of what is going to change with new sign-in screen

Gmail new login screen

One thing Google forgot to mention regarding what else has changed is that they have implemented a persistent login across browser sessions.

The start of dumbing down

Most logins to services have a box that says something like “Remember me” which you can check so that the next time you visit the site you do not have to login again. Gmail for years have had that option. To prevent people from reading your email you would not check that box. That meant the service would not set a permanent cookie (a small file on your hard drive) but rather use a current session-only cookie. These types of cookies are normally removed by the web browser when the connection to the service/website is closed. This meant that the next time you went to that website you would have to login again. 

Google Chrome had a option for years that is called “Continued where you left off”. This option would reopen the tabs that you had opened in Chrome before your closed the browser down. It was handy option to use and Chrome would still adhere to deleting any current session-only cookies set in any of these tabs. Five years ago in Jan 2012 that changed. End users reported issues when using “Continued where you left off”. They noticed that when they reopened their web browsers, they were still logged into services such as Gmail etc where they had explicitly made sure not to check the “remember me” login box.

Google chrome, starting in version 19, doesn’t delete these current session-only cookies when one uses the “Continue where you left off” option. End users protested that this weakened the security of services.If working in an office environment it allowed other people to gain access to services such as Gmail even after the end user close Chrome down, Chrome developers said it was a non issue.

End users had suggested an option in Chrome to allow the browser to delete these current session-only cookies. That option was denied. See this thread in the Chrome bug reporting system for such a discussion. Chrome developers solution for this was to have people remember to use the logout out every website BEFORE they closed their web browser.

If you wanted to restore the previously opened tabs from a prior browser session but still have tighter security to services such as email etc., then you would have to use a browser session manger extension rather than Chrome’s “Continue where you left off” option.. 

Simplification continues but at what cost

Then comes the newly implemented Gmail login screen introduced to some uses at the end of April 2017. Users reported that the next time they open their browsers they noticed they were still logged into their Gmail accounts. Does this sound familiar? This was puzzling since they did not remember seeing or even clicking on any “Remember me” boxes the last time they logged into Gmail. After they posted to Google’s Help Community regarding this issue the selected best answer was to remember to sign-out of Gmail BEFORE closing your browser or use Chrome’s Incognito mode. The new login process in Gmail keeps you logged in all the time unless you specifically log out. In other words Google has removed the ability for end users to simply remain logged in for the current session only.

Having 2 factor authentication like Lastpass enabled on a Gmail account is not going to help even if you have specifically told Lastpass not to remember this computer. If you either did not use Chrome’s incognito mode or forgot to use “Sign out” via the pull down menu on your Gmail account icon, then anyone who starts up Chrome browser can can access to your account. I do not know if this issue exists in other browsers such as Firefox or not.

Let Google know 

Google seems to be inconsistent with the security policies. One division is trying to tighten up security. Another division (Gmail) is taking away the ability from end users to control their security levels. Gmail is dumbing down the login process