The newest version of Google Identity Toolkit has been released as Firebase Authentication. It includes upgraded client SDKs, open source UI libraries, session management and integrated email sending service for forgotten password flows.

New projects should use Firebase Authentication. To migrate an existing project from Identity Toolkit to Firebase Authentication, see the migration guide.

Account Chooser and Email First

Web-enabled mobile devices allow users to quickly access information and services when they most need it. So long, of course, as they can login to their account or create a new one. Websites have already been restyled to improve the mobile web experience - sliding navigation drawers replaced sidebars and so on. Yet authentication methods have largely been stuck in the past, and users frequently face the daunting task of typing their information on software keyboards. Fancy predictive keyboards correct enough typos to make hammering out a lengthy text message reasonably bearable, but they don’t quite work for email addresses. The result: many users opt not to bother with the sign in flow and simply leave your site. Google Identity Toolkit utilizes several new techniques to make logging in as easy as possible.

The Account Chooser

AccountChooser.com leverages the insight that most users only have a handful of email addresses that they use to access the majority of websites. Rather than force the user to repeatedly type these addresses, they could instead select one from a short list of their accounts stored in their browser. Hence: an account chooser.

Designed by the OpenID Foundation, AccountChooser.com allows any website to reduce login friction for their users. When a user begins the login flow, the website can opt to redirect to AccountChooser.com, which displays the list of previously used accounts. Once the user selects an account, it is passed along to the website so that it can initiate login. Google Identity Toolkit automatically integrates with AccountChooser.com to provide a great user login experience, even on the mobile web.

Email First

With the account chooser paradigm, users enter their email address before they are prompted to enter any credentials. This separation between the identification and authentication steps makes room for some serious innovation in the login flow. In Google Identity Toolkit, we’ve employed the email first paradigm to reduce the complexity of signup and safely test federated login.

Sign in vs. Sign up

The most obvious trick you can play at this point is to automatically detect if the user already has an created an account. A typical sign in page will provide fields for the email and password, as well as links for creating a new account or resetting their password. Should the user not get their credentials correct on the first try, they then have to decide to reset their password or register an account. Instead, if we take the email first, we can properly route the user. With Google Identity Toolkit, new users are shown the registration form:

While repeat users go straight to the sign in page:

Now that we have seen how an account chooser combined with email first design can improve password sign in, read on to learn about applying these same techniques to federated sign in.