Unsettling discoveries about "Sign-in with Google"
Not wanting to deal with security/passwords and allowing third-party logins has given way to complacency, or outright laziness. Here are some troubling patterns I've noticed trying to de-google my primary domain.
1) Google does not really keep track of where your account has been used. Yes, there's an entry in security, but the titles are entirely self-reported and are often useless (wtf is Atlas API production?). They also allow for things like "auth0" to be set as the responsible entity, so I have no idea what these accounts are even for.
2) This would not be a problem if systems were responsible with the user identity and used your Google account as signifier. However, many apps (thus far, Cloudinary and Figma are my biggest headaches) treat the Google account as the owner of the account, meaning if I lose access to that Google account (like now, when I'm migrating the email off of Google), I"m SOL.
The RESPONSIBLE way to do this is allow me to disconnect the Google sign on and require a password reset. This is just lazy.
The best solution I've found is add a new account with an alt email address to the "team" account with admin ownership, but this is a hacky kludge, not a solution.