It’s becoming more and more common: instead of a login form where you fill your e-mail or username and your password, you first have to fill your username and submit the form a first time for the password field to appear on the second page (which is often loaded via Ajax, but the fact that the URL doesn’t change doesn’t make the problem disappear).
There is no need to discuss the fact that it’s annoying, but it seems that companies choose to do so because they believe it’s more secure. Is it really? And if so, why?
(Cover image by Del.)
Top comments (15)
I cannont think of a reason why this should be more secure. From what I know this is a thing where federated accounts may be used. They first check your email to determine if they have to redirect you to another site of ask you for a password.
Related blog article from Brad Frost: bradfrost.com/blog/post/dont-get-c... with hundreds of interesting comments on HN: news.ycombinator.com/item?id=19171402
It’s a good point. Also, it’s that article that reminded me of a ticket I had open about this with the security excuse, which in turn prompted this discussion.
My opinion is that this trend is the result of Cargo Cult Security: the others are doing it, so it must be more secure. So when people ask me why I am doing it, I will tell them, without further justification, that it’s for security, and they will in turn believe that it’s more secure.
Another possible explanation is that it’s a misunderstanding of the meaning of the term “2-step verification.” The login form asks for your username and password in two different steps, and we all know (believe?) that 2-step verification is more secure.
I doubt it's a misunderstanding of "2-step authentication" because even big companies (like Google) are doing it, I'm pretty sure they know the difference.
Maybe it's just a design trend, I don't know, but either way it's annoying as hell.
IDK, LastPass seems to be doing fine with it.
I think It's not a security measure per-se, but just a way to provide optional multi-factor authentication.
When you submit your username/email the server can check to see if it's a suspicious or legit login attempt and render more or less additional input fields accordingly.
Most of us just see an email field on the first step and a password field on the second step and think its a bit silly but if you get prompted with additional fields based on some criteria it seems a pretty clean solution
In multi-factor authentication, the second factor is usually triggered after you successfully typed your password (otherwise anyone could flood people with SMS codes just by filling their e-mail address).
You could technically perform some security audit upon entering e-mail, e.g. if you keep tracking of login attempts. If there are 18493 successful logins from
1.1.1.1
and then someone tries to log in from2.2.2.2
, you could already alert an user about some suspicious attempt.This is more secure and has a few extra benefits.
I would like to add in addition that you can accomplish the second bullet point using Javascript alternatively.
For example, you could add Javascript logic to listen for changes to the email text input, and conditionally redirect the user if they put an email with specific domain(s).
To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).
How?
The only form I remember that does that is Google auth. I guess that's some sort of UX, because you can either sign in or sign up (login/register for those who struggle to understand these dumb sign-things, like me) using the same form. And it's not more secure in any way.
I also struggle with sign in and sign up, as English is not my mother tongue. I know the difference, but I have to stop and think. Also, there isn’t enough difference visually to distinguish them without reading.
Google auth is the most broken login form I have seen in my life. If you’re unlucky enough to have more that one account, you can be sure you’re constantly half-logged-in (it remembers you but still wants your password) to the wrong one and the only way to stop it is to log in so you can log out. And start again next time you need to switch accounts (maybe it improved recently, but it’s been awful like that for a while).
Those forms must die in a triple-agony. I hope the times will come when this dumbest trend will be gone. I hate when I'm logging in Amazon, Google, Apple, every f...ng site and having a scenario like:
– Click the email field, select my saved creds, unlock with my fingerprint, click next, wait...
– Click the password field, select my f...ng saved creds one more f...ng time, click f...ng next, done...
– Oh no!!! I've accidentally selected the f...ng other creds one the f...ng second bloody step!!! Ffffffffffff...k!!!
– F...ng click the f...ng password f...ng field, f...ng select my f...ng saved creds one more bloody f...ng time, click f...ng bloody next button, now f...ng done OMG!
I hate that! Why are they doing that?
I don't believe that this has anything to do with extra security. What it does allow for is the site to detect whether your account is associated with a single sign on provider. Then, you get redirected to your provider instead of being asked for your password.
My colleague Kelley did a great write up on why the username and password might be on different pages in which she discusses the security implications as well as other interface considerations. Hopefully that clears things up a bit.