This is unfortunately how lots of people and companies think "secure" email needs to work. Any message from my bank or doctor works this way even it is something as simple as an appointment reminder. It is massive waste of user's time and programing effort, but I'm afraid that is where the world is moving.

Unfortunately doctors have to do this because the common legal interpretation of HIPAA and HITECH Act is that they have to.

Dates of service for a patient are protected health information. Most covered entities and business associates won't risk sending any PHI using methods that are not covered under the safe harbor provisions of the HITECH act. So... endless proliferation of "secure email" systems instead of using email. (And I don't see S/MIME taking off anytime soon as an alternative, even though that would be sufficient to qualify for safe harbor.)

Harder to spoof or phish (depending on the implementation). I know that a message shown on my bank's main website, with the correct URL, is legit.

Does this mean that I only need a new reject rule in my spam filter?

Also requiring the recipient to log into Google to allow google to track them.

And conditioning users to click on links they see in emails. Ugh.

I've already experienced this with employers and when buying a home using "HP SecureMail" and some Microsoft e-mail encryption. All they would have in the e-mail body is a link and I would need to validate my identity in some way to access the "protected" content through the website instead of it just being in my e-mail.

I agree that this is something to be concerned about but according to the instructions it doesn't require a Google login so you could do the entire session in a private browsing window if you wanted as long as you can get the verification code by SMS or the email address.

"Private"/"incognito" tabs and windows do little to nothing to protect you from the kind of tracking companies like Google engage in.