Google’s “Verify it’s You” pattern is dangerous

Years ago, Google introduced “Verify It’s You”, basically just a prompt to log back in after session expiry, and it has always irked me: it trains users to see an otherwise unidentified tab with a generic google login form, and enter their credentials by rote.

Google, could you please verify it’s you?

There should be some better sign on this page that it was actually recently signed into my account, in part so that I can investigate and know for sure I’m not being conned by some clever phisher, but more importantly so users at large are not generally predisposed to blindly entering some of our most important credentials to nondescript forms. They don’t even retain the favicon of the app you were on! It’s just a generic google favicon.

If this were a small shop, a random business, heck, even a bank, this behaviour might be fine. You tend to know where your bank tab is. But most days, I end up logged into 2+ google accounts with a motley assortment of gmail, drive, meet, youtube, and calendar tabs scattered around. Was this random tab the one I opened a calendar invite in and forgot to close? Well, I’ll just enter my password to see…

I wonder, how many attackers are there out there exploiting it?