Are login forms that ask for your username and password on two different pages more secure?

twitter logo github logo ・1 min read

It’s becoming more and more common: instead of a login form where you fill your e-mail or username and your password, you first have to fill your username and submit the form a first time for the password field to appear on the second page (which is often loaded via Ajax, but the fact that the URL doesn’t change doesn’t make the problem disappear).

There is no need to discuss the fact that it’s annoying, but it seems that companies choose to do so because they believe it’s more secure. Is it really? And if so, why?

(Cover image by Del.)

twitter logo DISCUSS (14)
markdown guide

I cannont think of a reason why this should be more secure. From what I know this is a thing where federated accounts may be used. They first check your email to determine if they have to redirect you to another site of ask you for a password.

Related blog article from Brad Frost: with hundreds of interesting comments on HN:


It’s a good point. Also, it’s that article that reminded me of a ticket I had open about this with the security excuse, which in turn prompted this discussion.


I think It's not a security measure per-se, but just a way to provide optional multi-factor authentication.
When you submit your username/email the server can check to see if it's a suspicious or legit login attempt and render more or less additional input fields accordingly.
Most of us just see an email field on the first step and a password field on the second step and think its a bit silly but if you get prompted with additional fields based on some criteria it seems a pretty clean solution


In multi-factor authentication, the second factor is usually triggered after you successfully typed your password (otherwise anyone could flood people with SMS codes just by filling their e-mail address).


You could technically perform some security audit upon entering e-mail, e.g. if you keep tracking of login attempts. If there are 18493 successful logins from and then someone tries to log in from, you could already alert an user about some suspicious attempt.


My opinion is that this trend is the result of Cargo Cult Security: the others are doing it, so it must be more secure. So when people ask me why I am doing it, I will tell them, without further justification, that it’s for security, and they will in turn believe that it’s more secure.

Another possible explanation is that it’s a misunderstanding of the meaning of the term “2-step verification.” The login form asks for your username and password in two different steps, and we all know (believe?) that 2-step verification is more secure.


I doubt it's a misunderstanding of "2-step authentication" because even big companies (like Google) are doing it, I'm pretty sure they know the difference.

Maybe it's just a design trend, I don't know, but either way it's annoying as hell.


The only form I remember that does that is Google auth. I guess that's some sort of UX, because you can either sign in or sign up (login/register for those who struggle to understand these dumb sign-things, like me) using the same form. And it's not more secure in any way.


I also struggle with sign in and sign up, as English is not my mother tongue. I know the difference, but I have to stop and think. Also, there isn’t enough difference visually to distinguish them without reading.

Google auth is the most broken login form I have seen in my life. If you’re unlucky enough to have more that one account, you can be sure you’re constantly half-logged-in (it remembers you but still wants your password) to the wrong one and the only way to stop it is to log in so you can log out. And start again next time you need to switch accounts (maybe it improved recently, but it’s been awful like that for a while).


This is more secure and has a few extra benefits.

  • Makes generic http(s) form interception much more difficult.
  • Allows synchronous user specific logic defined by the server without the need for preset JavaScript or an added roundtrip.
  • Debatably improves UX
    • ex. Add logic to determine if the user exists, and if not show them the registration form instead of requesting a password. !!! Please note the security risk involved with doing this!!!
  • Cleans up the page

I would like to add in addition that you can accomplish the second bullet point using Javascript alternatively.
For example, you could add Javascript logic to listen for changes to the email text input, and conditionally redirect the user if they put an email with specific domain(s).

  • Do you mean that if you can intercept and decode HTTPS traffic but only on 50% of requests, then you have 25% percent of chance to intercept both username and password?
  • The two-step form already is an added roundtrip, and in addition requires user interaction to it’s a thousand times slower than an Ajax roundtrip;
  • Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
  • Excuse me?

Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;

To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).

Makes generic http(s) form interception much more difficult.



I don't believe that this has anything to do with extra security. What it does allow for is the site to detect whether your account is associated with a single sign on provider. Then, you get redirected to your provider instead of being asked for your password.

My colleague Kelley did a great write up on why the username and password might be on different pages in which she discusses the security implications as well as other interface considerations. Hopefully that clears things up a bit.

Classic DEV Post from Jul 30

PublishTo.Dev: Scheduling article publishing on

Ölbaum profile image

Hey there reader...

Do you prefer sans serif over serif?

You can change your font preferences in the "misc" section of your settings. ❤️