multi user: from whitin my acount, I can directly switch to the other user account whitout password or PIN
I have a question regarding multiple user accounts on one PC:
Is it normal that from whitin my own personal account, I can switch directly to the other user account whitout entering a password or PIN code? It's a family member, but still, I feel this shouldn't be that easy to log in to someone else's account.
This morning I could login with my PIN, but when I close and reopen the lid, password is needed for the other user. Can somebody please explain to me, or refer me to an article where this functionality, or lack of, is explained? This is crappy behaviour, and before it was not like that. What happened here? Who thought this was good design?
It is important to note that the Multiple Sign-in functionality is not a NeverWare or CloudReady specific feature. NeverWare provide a generalised version of ChromiumOS packaged to run on as many devices as it is possible to do so.
The Multiple Sign in feature is described on the official Google Support pages here - https://support.google.com/chromebook/answer/6088201?hl=en-CA
The feature does require you to know and enter the sign-in details of the additional user accounts before you are able to switch between them from within your session. The feature is additionally controllable by a Google Workspace administrator if you have an Enterprise/Education workspace - it is possible to force an account to only allow login as a primary user (ie block it from being added as a secondary log-in)
I suppose the feature is intended to replicate/enhance the user profile switching mechanism that has been a feature of the Chrom* browser for some time.
So basically, if you log into a Cloudready laptop or Chromebook that's not yours with your Google account, there goes your privacy and security because YOUR GOOGLE ACCOUNT AND E_MAIL IS WIDE OPEN TO THE OTHER USER!!!!!!!
I can open the account of the other user and mess with their Google account and change the password without even entering so much as a pin or password!!!!!!!
Is this standard behavior on every Chromebook? If yes, holy crap!
Here's the overt warning Sam Van Geel.... so you were warned....
Oh, everything is allright now, there's a pop-up warning! Don't remember that warning popping up. Which version are on? Home or enterprise? This is the same as a gun without safety pen, but with a sticker saying the gun can go off randomly when used by another user or dropping it to the ground. MacOS and Windows PC accounts can never be entered without entering a password or pin code.
Remember, laptops can get lost or stolen. When you were logged in at the time or they know your password or pin, every other Google account on it is wide open.
So popping off warning signs instead of making the OS safe on a basic level is the idea of safety by Google? They took every measure to make te OS safe, but they left the front door wide open! Gives you stuff to think about concerning Android.
In addition to Tony's comment, adding an account using the multi-sign-in feature requires you to know the password of the account you are adding. You cannot add an account simply because it has been previously used on the device.
The sequence of events is as follows:
- Sign in to Chrom*OS device as User_A
- Sign out of User_A
- Sign in to same Chrom*OS device as User_B
- Initiate Multi-Sign in as User_B by clicking User_B avatar in the settings box bottom left, and clicking Sign-in another user.
- Chrom*OS displays a list of users (in this case User_A) that have previously signed into the device, informs you whether or not the account is available for multi-sign-in, and requests the password for the account you wish to add.
- The warning says that once you have added the User_A account to your User_B profile, you will not need to retype the User_A password within the User_B account again. Therefore you should only add accounts that you own or trust to switch between in a single session.
To confirm, you cannot add an account to Multi-sign in simply because it previously logged into the device. Do not confuse Multi-Sign in with Signing out of one account and signing in as another. If you want to add a new account to a device, simply sign out of the first account, then sign in as the second. Multi-Sign-in is intended for use when one person owns several accounts.
Yeah the distinction here that may be getting lost of having multiple accounts simultaneously signed in vs. having multiple profiles present on the device, but only having one session active at the time.
In the latter, the profiles are secure from one another.
In the former, however, you establish a sense of trust between the two profiles by entering a secondary user's password from within a primary user's session.
Honestly, I cannot think of any situation where opening up your Google account to somebody else is necessary. Sure there are better ways to collaborate with others? If the trustful relation with the other comes to an end, hope that he or she logs you out of the computer. Again, this is my personal opinion, but this functionality is very dangerous because it is based on trust and goodwill from the other party. I’m not willing to take that risk. Signing off.
Sam Van Geel don't use the feature & you should go tell the chromeOS developers. Cloudready is downstream & this is not their design.
Interesting thread. Didn't know this was a thing, changing user accounts on the fly without password, just tried it out now. This can be useful for some people. Sam Van Geel, adding to what others have said, multiple sign-in looks to be a specific feature with a specific way of activating it. You have to be signed in, click the option in the system tray, go through two sets of warnings, then enter the password of the other user account. This option cannot be enabled on a Cloudready device that is locked or signed out which means you should be sufficiently protected (unless you're not locking or signing out your account on a shared device... then that is an entirely different problem). So yeah, nobody is forcing you to use this feature. Just sign out when you're done. Or lock your account; the next user will have to sign you out anyway so they can log in. Easy.
Tony Baloney This means that Neverware has lost control of its product to Google. In one of my posts 6 or 7 moths ago, I expressed my enthusiasm over Cloudready, and made some reservations at the same time about Google buying Neverware.
It seems that my prediction at the time is becoming reality, Google is taking over and messing up. I'm off now to fill in some lottery numbers, cause clearly I'm clairvoyant :-)
Joel R. It's not that we have a choice in user management. And if I log out, I have to reinsert my 16 character hyper complicated Google password.
Sam Van Geel Whilst I share some of your feelings on Neverware and Cloudready since the Google takeover, this might be the wrong feature or flaw to have a go at them with. As others have said, this design comes from upstream so your feedback on this specific feature is better directed at Chromium OS developers. A further suggestion which I hope you'll find productive: consider setting up your user profile using a secondary / dummy Google account with a not necessarily shorter but easier to enter password. Then add you primary Google account via the 'Accounts' section in the Settings menu. You can henceforth log in with the easier password of your secondary account but still have full access to your primary account. This is what I do since I use a password manager and didn't want to / am not capable of memorizing the long randomly-generated password for my main Google account.
Hi Forrest Smith, while we have your attention, Netflix breaking for the third time this year doesn't look good.. More concerning even are the issues with YouTube which is a Google product! Certainly raises more questions on the long-term stability of Cloudready and the direction Neverware is headed towards. Not expecting a State of the Union sort of statement from you guys, but maybe including a concise explanation of these issues and how they will be mitigated moving forward in the release notes for the next update would be helpful.
I agree with Tony Baloney. This is an issue to take up with the Chromium Developers. Security has become a big deal and perhaps this feature should be deleted from the OS.
Neverware's mission is to make the Chrome OS usable to all, esp. those of us with ancient devices. To ding Neverware for something the developers created (probably for their convenience), is missing the mark. As Forrest Smith commented, "Multi-profile user behavior is the same as it was prior to Google acquiring Neverware."
Having watched how Google has handled other companies that they have purchased, Google does not "aggressively" take over the management of the purchased companies. The companies have been successful before being purchased and continue to do well.
Neverware is having enough problems with Youtube, Netflix, and other third-party vendors. It would be nice when there is a fix that Ilya G tells us what had to be done.
Please sign in to leave a comment.
ChromeOS Flex is replacing CloudReady, so this community is no longer accepting new comments.
Please visit the ChromeOS Flex Help Community to post any new questions or thoughts! You can still link back to this or other pages in this community in order to reference past conversations.