I agree with everything except the browser login bit. It should give you the option. I uninstall any app that provides me an electron rendered window claiming to be Google but with no visible URL or TLS info. It's a bad bad idea to let average users get used to the idea that they should put their google password and OTP into a black box that can do anything with it.
Almost all google products are really weak on Q&A. It's very sad that a software giant, a leader, a "role model" such as google can not do better. IMHO they should set an example for the rest of the industry.<p>Badly coded apps (web pages or what have you) are unfortunately the norm in todays society, not the exception. Release now, fix later (if ever).<p>I often think about this when my boss or clients wants me to rush things (i.e. skip testing, refactoring, write spaghetti code etc). Maybe that will save them money in the short term. But if you look at it from a larger scale, in the long term and also all the other people it will affect, i'm not sure it will actually be cheaper for society as a whole. You can imagine the butterfly effects it will have, and when everyone does it. It's mentality i wish would go away quickly.
This mostly boils down to using OAuth for login.<p>>What happened to sending my login info over an HTTPS connection in the background and getting a session token back? I guess that's too simple for Google.<p>Not exposing an HTTP endpoint that easily lets you check if a Google account with said credentials exists (because it has to work from anywhere) and not maintaining an API that supports all the weird edge cases to logging in to Google (2FA, showing notices, locked out accounts, requiring additional authentication).<p>You essentially want this mess with application specific passwords back?
Well, support will be yanked at the end of 2020 :-P<p>... in keeping with Google's disassociative identity in chat apps. It's seriously now worse than Microsoft and syncing applications.