DEV Community

Cover image for Are login forms that ask for your username and password on two different pages more secure?

Are login forms that ask for your username and password on two different pages more secure?

Olivier “Ölbaum” Scherler on February 25, 2019

It’s becoming more and more common: instead of a login form where you fill your e-mail or username and your password, you first have to fill your u...
Collapse
 
kovah profile image
Kevin Woblick

I cannont think of a reason why this should be more secure. From what I know this is a thing where federated accounts may be used. They first check your email to determine if they have to redirect you to another site of ask you for a password.

Related blog article from Brad Frost: bradfrost.com/blog/post/dont-get-c... with hundreds of interesting comments on HN: news.ycombinator.com/item?id=19171402

Collapse
 
oscherler profile image
Olivier “Ölbaum” Scherler

It’s a good point. Also, it’s that article that reminded me of a ticket I had open about this with the security excuse, which in turn prompted this discussion.

Collapse
 
oscherler profile image
Olivier “Ölbaum” Scherler

My opinion is that this trend is the result of Cargo Cult Security: the others are doing it, so it must be more secure. So when people ask me why I am doing it, I will tell them, without further justification, that it’s for security, and they will in turn believe that it’s more secure.

Another possible explanation is that it’s a misunderstanding of the meaning of the term “2-step verification.” The login form asks for your username and password in two different steps, and we all know (believe?) that 2-step verification is more secure.

Collapse
 
sudiukil profile image
Quentin Sonrel

I doubt it's a misunderstanding of "2-step authentication" because even big companies (like Google) are doing it, I'm pretty sure they know the difference.

Maybe it's just a design trend, I don't know, but either way it's annoying as hell.

Collapse
 
qm3ster profile image
Mihail Malo

IDK, LastPass seems to be doing fine with it.

Collapse
 
reegodev profile image
Matteo Rigon • Edited

I think It's not a security measure per-se, but just a way to provide optional multi-factor authentication.
When you submit your username/email the server can check to see if it's a suspicious or legit login attempt and render more or less additional input fields accordingly.
Most of us just see an email field on the first step and a password field on the second step and think its a bit silly but if you get prompted with additional fields based on some criteria it seems a pretty clean solution

Collapse
 
oscherler profile image
Olivier “Ölbaum” Scherler

In multi-factor authentication, the second factor is usually triggered after you successfully typed your password (otherwise anyone could flood people with SMS codes just by filling their e-mail address).

Collapse
 
defman profile image
Sergey Kislyakov

You could technically perform some security audit upon entering e-mail, e.g. if you keep tracking of login attempts. If there are 18493 successful logins from 1.1.1.1 and then someone tries to log in from 2.2.2.2, you could already alert an user about some suspicious attempt.

Collapse
 
xversial profile image
Brandon Xversial • Edited

This is more secure and has a few extra benefits.

  • Makes generic http(s) form interception much more difficult.
  • Allows synchronous user specific logic defined by the server without the need for preset JavaScript or an added roundtrip.
  • Debatably improves UX
    • ex. Add logic to determine if the user exists, and if not show them the registration form instead of requesting a password. !!! Please note the security risk involved with doing this!!!
  • Cleans up the page

I would like to add in addition that you can accomplish the second bullet point using Javascript alternatively.
For example, you could add Javascript logic to listen for changes to the email text input, and conditionally redirect the user if they put an email with specific domain(s).

Collapse
 
oscherler profile image
Olivier “Ölbaum” Scherler
  • Do you mean that if you can intercept and decode HTTPS traffic but only on 50% of requests, then you have 25% percent of chance to intercept both username and password?
  • The two-step form already is an added roundtrip, and in addition requires user interaction to it’s a thousand times slower than an Ajax roundtrip;
  • Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
  • Excuse me?
Collapse
 
defman profile image
Sergey Kislyakov • Edited

Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;

To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).

Makes generic http(s) form interception much more difficult.

How?

Collapse
 
defman profile image
Sergey Kislyakov

The only form I remember that does that is Google auth. I guess that's some sort of UX, because you can either sign in or sign up (login/register for those who struggle to understand these dumb sign-things, like me) using the same form. And it's not more secure in any way.

Collapse
 
oscherler profile image
Olivier “Ölbaum” Scherler

I also struggle with sign in and sign up, as English is not my mother tongue. I know the difference, but I have to stop and think. Also, there isn’t enough difference visually to distinguish them without reading.

Google auth is the most broken login form I have seen in my life. If you’re unlucky enough to have more that one account, you can be sure you’re constantly half-logged-in (it remembers you but still wants your password) to the wrong one and the only way to stop it is to log in so you can log out. And start again next time you need to switch accounts (maybe it improved recently, but it’s been awful like that for a while).

Collapse
 
mbrtn profile image
Ruslan Shashkov

Those forms must die in a triple-agony. I hope the times will come when this dumbest trend will be gone. I hate when I'm logging in Amazon, Google, Apple, every f...ng site and having a scenario like:

– Click the email field, select my saved creds, unlock with my fingerprint, click next, wait...
– Click the password field, select my f...ng saved creds one more f...ng time, click f...ng next, done...
– Oh no!!! I've accidentally selected the f...ng other creds one the f...ng second bloody step!!! Ffffffffffff...k!!!
– F...ng click the f...ng password f...ng field, f...ng select my f...ng saved creds one more bloody f...ng time, click f...ng bloody next button, now f...ng done OMG!

I hate that! Why are they doing that?

Collapse
 
philnash profile image
Phil Nash

I don't believe that this has anything to do with extra security. What it does allow for is the site to detect whether your account is associated with a single sign on provider. Then, you get redirected to your provider instead of being asked for your password.

My colleague Kelley did a great write up on why the username and password might be on different pages in which she discusses the security implications as well as other interface considerations. Hopefully that clears things up a bit.