We Removed Google Sign-In - You Asked For Something Simpler
What changed
If you opened Jottii today, the sign-in screen is shorter than it used to be.
You type your email. We send a 6-digit code. You paste it back. You're in.
That's it. No Google button. No password field. One screen, one code, ten-minute expiry, one shot.
The master-key step is unchanged. Once you're signed in, you still unlock your entries with the passphrase you chose at signup, the same way you always have.
Why we changed it
We listened.
This wasn't a strategy memo or a product all-hands. It was a recurring piece of feedback from a small but consistent group of users, sent over the last few days, on email and in support replies. We're an early product and we don't pretend the sample is large. We do think the signal was honest.
A few threads kept showing up:
- A discomfort with logging into a privacy-first journal using a Google account. The feeling, more or less: "I'm here precisely because I don't want this in Google's orbit."
- Friction on shared or work devices, where the signed-in Google account wasn't the user's actual identity. People didn't want their personal journal tied to the laptop's work profile, and switching accounts mid-session is awkward on every operating system we tested.
- A confusion about why a zero-knowledge product needed an OAuth login at all. If the server can't read entries, why is a third-party identity provider in the loop?
- A handful of users who don't have Google accounts and were locked out entirely. Small group, but they were paying users elsewhere, and we couldn't sign them in.
None of these were loud. They were quiet, repeated, and right.
The principle behind it
There was a tension in the old setup that users felt before we did.
We market Jottii as a private, zero-knowledge journal. Then we asked you to authenticate through Google. That's not a contradiction in the cryptography - your entries were never readable by Google or by us - but it was a contradiction in feel. You were trusting a privacy-first app with your words and a third party with your identity, on the same screen.
Email plus a one-time code is the lowest-trust auth path that still works. There's no password for us to leak, because there isn't a password. Google isn't a step in the chain. The 6-digit code is one-shot, expires in ten minutes, and is useless after the first use.
It also matches the rest of the product's posture. The server stores ciphertext it can't read. Now the sign-in stores no secret it could lose.
What didn't change
Two things worth being explicit about.
The master key still gates your data. The email gets you to the app. The master key opens the entries. They're separate roles on separate screens, and that separation is intentional - identity and encryption shouldn't be the same secret. If you forget your master key, we still cannot recover it for you. That's the contract; it hasn't moved.
The encrypted data layer didn't change either. The same NaCl-encrypted blobs are on the server, the same client-side derivation runs on your device, the same recovery boundaries apply. We reshaped the door, not the vault.
What about existing users
If you signed in with Google before, sign in with the same email you used then. The app sends the code to that address; you paste it; you land in the same account, with the same encrypted entries, the same master-key gate, the same history. Your account is matched by email, which is what it was matched by underneath the OAuth flow anyway.
You won't be asked to re-derive a master key, re-import your data, or migrate anything. Your first sign-in after the change is one extra step (typing six digits) compared to the old Google button; every sign-in after that is the same flow.
If, for some reason, the email tied to your old Google sign-in isn't reachable anymore, write to us before you start. We'll help you get the right address into the right place. We can't read your entries, but we can help with the address that fronts them.
A note on listening
We didn't ship this because it was clever or because it tested well. We shipped it because users told us, in different words on different days, that the old flow felt off. They were right, and the longer we left it the more it would have hardened into "the way Jottii does it" instead of a choice we could still revisit.
Keep telling us what doesn't fit. The product is small enough to change, and we'd rather change it than defend it.
If something else about Jottii feels like it doesn't match the rest of the app, we want to hear that too. The next change probably starts in your inbox to us.
Reach us
Write to us at jottii@festivlabs.com. Feature requests, bug reports, "this feels off" notes, account questions - all of it lands in the same inbox, and a real person reads every message.