← Back to context

Comment by hunter2_

4 months ago

I wonder why Google would make an SSO assertion along the lines of "yes, this user Bob has email address bob@example.com" in the situation where example.com is not under a Workspace account. Such assertions ought to be made only for Workspace (and Google's own domains such as gmail.com, googlemail.com, etc.) since outside of that it's obsolete proof as you say, i.e. it's merely a username of a Google account which happens to look like an email address, and nothing more.

2 comments

hunter2_

Reply
yread  4 months ago

You can create a google account with an existing email

https://support.google.com/accounts/answer/176347?hl=en&co=G...

  • necovek  4 months ago

    I read the GP's question as "why" would Google allow that in the first place?

    The reason is obvious: because a Google account gets you access to many a Google service without requiring you to open a Gmail account.

    However, the question still stands: why does Google allow authentication with a non-Gmail/Workspace account? Yes, it would be confusing since not all Google Accounts would be made the same, but this entire class of security issues would disappear.

    So it's the usual UX convenience vs security.

    Alternative "fix" that's both convenient and secure is to have every company use Google Apps on their domain ;-)